From c3fdb13c494cd6bfce5523394863dc76c1afc9d3 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Wed, 26 Mar 2025 21:11:46 +0200 Subject: some tracepoints were not opening new fds --- internal/c/generate_tracepoints_c.raku | 22 +- internal/c/generated_tracepoints.c | 1068 ++++++++----------------- internal/file/file.go | 1 - internal/tracepoints/generated_tracepoints.go | 8 - internal/types/generated_types.go | 12 +- 5 files changed, 367 insertions(+), 744 deletions(-) (limited to 'internal') diff --git a/internal/c/generate_tracepoints_c.raku b/internal/c/generate_tracepoints_c.raku index 5ac3878..b3f1a59 100644 --- a/internal/c/generate_tracepoints_c.raku +++ b/internal/c/generate_tracepoints_c.raku @@ -48,7 +48,6 @@ role TracepointTemplate { my Str @parts; @parts.push: qq:to/BPF_C_CODE/; - // {%vals.lc} is a {%vals} SEC("tracepoint/syscalls/{%vals}") int handle_{%vals.lc}(struct {ctx-struct} *ctx) \{ __u32 pid, tid; @@ -116,8 +115,11 @@ class OpenTracepoint does TracepointTemplate { } class PathnameTracepoint does TracepointTemplate { + has Str $.field-name is required; + submethod new (Str $field-name) { self.bless: :$field-name } + method generate-bpf-c-tracepoint(%vals --> Str) { - my Int \field-number = %vals.field-number('pathname'); + my Int \field-number = %vals.field-number($.field-name); my Str $extra = qq:to/BPF_C_CODE/; __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{field-number}]); @@ -176,12 +178,23 @@ class Format { self.set-format-impl($.name, field.name, field.type) unless $!format-impl; } + + # Explicitly map some tracepoints + multi method set-format-impl(Str $s where /^sys_enter.*open.*/, 'filename', 'const char *') { $!format-impl = OpenTracepoint.new } multi method set-format-impl('sys_enter_fcntl', $, $) { $!format-impl = FcntlTracepoint.new } + + # Tracepoints to ignore + multi method set-format-impl(Str $s where /^sys_enter_mknod/, $, $) { } + multi method set-format-impl(Str $s where /^sys_enter_execve/, $, $) { } + + # Tracepoint groups by arguments multi method set-format-impl($, 'fd', 'unsigned int') { $!format-impl = FdTracepoint.new } multi method set-format-impl($, 'newname', 'const char *') { $!format-impl = NameTracepoint.new } - multi method set-format-impl($, 'filename', 'const char *') { $!format-impl = OpenTracepoint.new } - multi method set-format-impl($, 'pathname', 'const char *') { $!format-impl = PathnameTracepoint.new } + multi method set-format-impl($, 'pathname', 'const char *') { $!format-impl = PathnameTracepoint.new('pathname') } + multi method set-format-impl($, 'filename', 'const char *') { $!format-impl = PathnameTracepoint.new('filename') } multi method set-format-impl($, 'ret', 'long') { $!format-impl = RetTracepoint.new } + + # All remaining tracepoints are ignored multi method set-format-impl($, $, $) { } method generate-c-constant returns Str { "#define {$!name.uc} {$!id}" } @@ -237,6 +250,7 @@ my Format @formats = gather for say "// Ignoring {%syscall.values.map(*.name).sort} as enter-rejected"; next; } + .take for %syscall.values; } diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 81e9705..66b38f9 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -1,289 +1,293 @@ // Code generated - don't change manually! -// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related -// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related -// Ignoring sys_enter_pwritev sys_exit_pwritev as possibly not file I/O related -// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related -// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related -// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related -// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related -// Ignoring sys_enter_fallocate sys_exit_fallocate as possibly not file I/O related -// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related -// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related -// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related -// Ignoring sys_enter_finit_module sys_exit_finit_module as possibly not file I/O related -// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related -// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related -// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related -// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related -// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related -// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related -// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related -// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related -// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related -// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related +// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related +// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related +// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related +// Ignoring sys_enter_dup3 sys_exit_dup3 as possibly not file I/O related +// Ignoring sys_enter_truncate sys_exit_truncate as possibly not file I/O related +// Ignoring sys_enter_mmap sys_exit_mmap as possibly not file I/O related +// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related +// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related +// Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related // Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related -// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related -// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related -// Ignoring sys_enter_open_by_handle_at sys_exit_open_by_handle_at as possibly not file I/O related -// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related -// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related -// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related -// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related -// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related -// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related -// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related +// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related +// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related +// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related +// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related +// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related +// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related // Ignoring sys_enter_syncfs sys_exit_syncfs as possibly not file I/O related +// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related +// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related +// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related +// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related // Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related -// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related -// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related -// Ignoring sys_enter_fgetxattr sys_exit_fgetxattr as possibly not file I/O related -// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related -// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related -// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related -// Ignoring sys_enter_io_getevents sys_exit_io_getevents as possibly not file I/O related -// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related +// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related +// Ignoring sys_enter_readlink sys_exit_readlink as possibly not file I/O related +// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related +// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related +// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related +// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related +// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related +// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related +// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related +// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related +// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related +// Ignoring sys_enter_io_cancel sys_exit_io_cancel as possibly not file I/O related +// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related +// Ignoring sys_enter_sync sys_exit_sync as possibly not file I/O related // Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related -// Ignoring sys_enter_vmsplice sys_exit_vmsplice as possibly not file I/O related -// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related -// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related -// Ignoring sys_enter_getcwd sys_exit_getcwd as possibly not file I/O related -// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related -// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related -// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related -// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related -// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related -// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related -// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related -// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related -// Ignoring sys_enter_copy_file_range sys_exit_copy_file_range as possibly not file I/O related -// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related -// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related -// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related -// Ignoring sys_enter_mount_setattr sys_exit_mount_setattr as possibly not file I/O related -// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related -// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related -// Ignoring sys_enter_dup3 sys_exit_dup3 as possibly not file I/O related // Ignoring sys_enter_dup2 sys_exit_dup2 as possibly not file I/O related -// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related -// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related -// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related -// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related -// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related +// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related // Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related -// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related -// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related -// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related -// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related -// Ignoring sys_enter_readv sys_exit_readv as possibly not file I/O related -// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related -// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related +// Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related +// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related // Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related -// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related -// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related -// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related -// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related -// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related -// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related -// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related -// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related -// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related -// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related -// Ignoring sys_enter_fremovexattr sys_exit_fremovexattr as possibly not file I/O related -// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related -// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related -// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related -// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related -// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related -// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related -// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related -// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related -// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related -// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related -// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related -// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related -// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related +// Ignoring sys_enter_finit_module sys_exit_finit_module as possibly not file I/O related // Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related -// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related -// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related -// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related -// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related -// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related -// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related -// Ignoring sys_enter_syslog sys_exit_syslog as possibly not file I/O related -// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related -// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related -// Ignoring sys_enter_fsetxattr sys_exit_fsetxattr as possibly not file I/O related -// Ignoring sys_enter_io_uring_setup sys_exit_io_uring_setup as possibly not file I/O related -// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related -// Ignoring sys_enter_dup sys_exit_dup as possibly not file I/O related -// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related -// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related -// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related -// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related -// Ignoring sys_enter_io_destroy sys_exit_io_destroy as possibly not file I/O related -// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related -// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related -// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related -// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related -// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related -// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related -// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related -// Ignoring sys_enter_readlink sys_exit_readlink as possibly not file I/O related -// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related -// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related -// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related -// Ignoring sys_enter_pwritev2 sys_exit_pwritev2 as possibly not file I/O related -// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related -// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related -// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related -// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related -// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related -// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related -// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related -// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related -// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related -// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related -// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related -// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related // Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related -// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related -// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related -// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related -// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related -// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related -// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related -// Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related +// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related +// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related +// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related +// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related +// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related +// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related +// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related +// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related +// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related +// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related +// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related // Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related +// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related +// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related +// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related +// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related +// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related +// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related +// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related // Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related -// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related -// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related -// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related +// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related +// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related +// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related +// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related +// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related // Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related -// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related -// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related -// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related -// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related -// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related -// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related -// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related +// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related +// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related +// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related +// Ignoring sys_enter_open_by_handle_at sys_exit_open_by_handle_at as possibly not file I/O related +// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related +// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related +// Ignoring sys_enter_writev sys_exit_writev as possibly not file I/O related +// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related +// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related +// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related +// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related +// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related +// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related +// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related +// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related // Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related -// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related -// Ignoring sys_enter_fspick sys_exit_fspick as possibly not file I/O related -// Ignoring sys_enter_sync sys_exit_sync as possibly not file I/O related -// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related -// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related -// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related +// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related +// Ignoring sys_enter_preadv sys_exit_preadv as possibly not file I/O related +// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related +// Ignoring sys_enter_io_getevents sys_exit_io_getevents as possibly not file I/O related +// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related +// Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related +// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related +// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related +// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related +// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related +// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related // Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related -// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related -// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related -// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related -// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related -// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related -// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related -// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related -// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related -// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related -// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related -// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related -// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related +// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related +// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related +// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related +// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related +// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related +// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related +// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related +// Ignoring sys_enter_readahead sys_exit_readahead as possibly not file I/O related +// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related +// Ignoring sys_enter_flistxattr sys_exit_flistxattr as possibly not file I/O related +// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related +// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related +// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related +// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related +// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related +// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related +// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related // Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related +// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related +// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related +// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related // Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related -// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related -// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related -// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related -// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related -// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related -// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related -// Ignoring sys_enter_preadv2 sys_exit_preadv2 as possibly not file I/O related -// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related -// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related -// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related -// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related -// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related -// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related -// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related -// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related -// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related -// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related +// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related // Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related -// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related -// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related -// Ignoring sys_enter_io_cancel sys_exit_io_cancel as possibly not file I/O related -// Ignoring sys_enter_writev sys_exit_writev as possibly not file I/O related +// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related +// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related +// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related +// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related +// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related +// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related +// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related +// Ignoring sys_enter_fspick sys_exit_fspick as possibly not file I/O related +// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related +// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related +// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related +// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related +// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related +// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related +// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related +// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related +// Ignoring sys_enter_pwritev2 sys_exit_pwritev2 as possibly not file I/O related +// Ignoring sys_enter_readv sys_exit_readv as possibly not file I/O related +// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related +// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related +// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related +// Ignoring sys_enter_io_submit sys_exit_io_submit as possibly not file I/O related +// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related +// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related +// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related +// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related +// Ignoring sys_enter_getcwd sys_exit_getcwd as possibly not file I/O related +// Ignoring sys_enter_sync_file_range sys_exit_sync_file_range as possibly not file I/O related +// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related +// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related +// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related +// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related +// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related +// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related +// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related +// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related +// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related +// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related // Ignoring sys_enter_fsconfig sys_exit_fsconfig as possibly not file I/O related -// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related -// Ignoring sys_enter_readahead sys_exit_readahead as possibly not file I/O related +// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related +// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related +// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related +// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related +// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related +// Ignoring sys_enter_fremovexattr sys_exit_fremovexattr as possibly not file I/O related +// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related +// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related +// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related +// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related +// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related +// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related +// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related +// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related +// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related +// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related +// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related +// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related +// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related +// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related +// Ignoring sys_enter_dup sys_exit_dup as possibly not file I/O related +// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related +// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related +// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related +// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related +// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related // Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related +// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related +// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related +// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related +// Ignoring sys_enter_vmsplice sys_exit_vmsplice as possibly not file I/O related +// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related +// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related // Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related -// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related -// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related -// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related -// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related -// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related +// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related // Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related -// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related -// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related -// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related -// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related -// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related +// Ignoring sys_enter_fgetxattr sys_exit_fgetxattr as possibly not file I/O related +// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related +// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related +// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related +// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related +// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related +// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related +// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related +// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related +// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related +// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related +// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related +// Ignoring sys_enter_copy_file_range sys_exit_copy_file_range as possibly not file I/O related +// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related +// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related +// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related +// Ignoring sys_enter_fadvise64 sys_exit_fadvise64 as possibly not file I/O related +// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related +// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related +// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related +// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related +// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related +// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related +// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related +// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related +// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related +// Ignoring sys_enter_pwritev sys_exit_pwritev as possibly not file I/O related +// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related +// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related +// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related +// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related +// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related +// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related +// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related +// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related +// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related +// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related +// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related +// Ignoring sys_enter_io_pgetevents sys_exit_io_pgetevents as possibly not file I/O related +// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related +// Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related +// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related +// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related +// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related +// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related +// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related // Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related -// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related -// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related -// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related -// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related -// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related -// Ignoring sys_enter_io_submit sys_exit_io_submit as possibly not file I/O related -// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related -// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related +// Ignoring sys_enter_fsetxattr sys_exit_fsetxattr as possibly not file I/O related +// Ignoring sys_enter_io_uring_setup sys_exit_io_uring_setup as possibly not file I/O related +// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related +// Ignoring sys_enter_preadv2 sys_exit_preadv2 as possibly not file I/O related +// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related +// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related +// Ignoring sys_enter_syslog sys_exit_syslog as possibly not file I/O related +// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related // Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related -// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related -// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related +// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related +// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related +// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related // Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related -// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related -// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related -// Ignoring sys_enter_preadv sys_exit_preadv as possibly not file I/O related -// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related +// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related +// Ignoring sys_enter_mount_setattr sys_exit_mount_setattr as possibly not file I/O related +// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related +// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related +// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related +// Ignoring sys_enter_mknodat sys_exit_mknodat as possibly not file I/O related +// Ignoring sys_enter_io_destroy sys_exit_io_destroy as possibly not file I/O related // Ignoring sys_enter_io_setup sys_exit_io_setup as possibly not file I/O related -// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related -// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related -// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related -// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related -// Ignoring sys_enter_sync_file_range sys_exit_sync_file_range as possibly not file I/O related -// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related -// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related -// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related -// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related -// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related -// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related -// Ignoring sys_enter_truncate sys_exit_truncate as possibly not file I/O related -// Ignoring sys_enter_flistxattr sys_exit_flistxattr as possibly not file I/O related -// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related -// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related +// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related +// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related +// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related +// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related +// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related +// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related +// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related // Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related // Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related -// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related -// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related -// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related -// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related -// Ignoring sys_enter_fadvise64 sys_exit_fadvise64 as possibly not file I/O related -// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related -// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related -// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related -// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related -// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related -// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related -// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related -// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related -// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related -// Ignoring sys_enter_mmap sys_exit_mmap as possibly not file I/O related -// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related -// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related +// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related +// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related +// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related +// Ignoring sys_enter_fallocate sys_exit_fallocate as possibly not file I/O related +// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related +// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related +// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related +// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related // Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related -// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related -// Ignoring sys_enter_io_pgetevents sys_exit_io_pgetevents as possibly not file I/O related -// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related +// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related +// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related +// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related #define SYS_ENTER_IO_URING_REGISTER 1513 #define SYS_EXIT_IO_URING_REGISTER 1512 @@ -345,10 +349,6 @@ #define SYS_EXIT_IOCTL 905 #define SYS_ENTER_FCNTL 904 #define SYS_EXIT_FCNTL 903 -#define SYS_ENTER_MKNODAT 902 -#define SYS_EXIT_MKNODAT 901 -#define SYS_ENTER_MKNOD 900 -#define SYS_EXIT_MKNOD 899 #define SYS_ENTER_MKDIRAT 898 #define SYS_EXIT_MKDIRAT 897 #define SYS_ENTER_MKDIR 896 @@ -373,10 +373,6 @@ #define SYS_EXIT_RENAMEAT 877 #define SYS_ENTER_RENAME 876 #define SYS_EXIT_RENAME 875 -#define SYS_ENTER_EXECVE 870 -#define SYS_EXIT_EXECVE 869 -#define SYS_ENTER_EXECVEAT 868 -#define SYS_EXIT_EXECVEAT 867 #define SYS_ENTER_NEWSTAT 866 #define SYS_EXIT_NEWSTAT 865 #define SYS_ENTER_NEWLSTAT 864 @@ -442,7 +438,6 @@ #define SYS_ENTER_CACHESTAT 599 #define SYS_EXIT_CACHESTAT 598 -// sys_enter_io_uring_register is a fd_event SEC("tracepoint/syscalls/sys_enter_io_uring_register") int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -464,7 +459,6 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_io_uring_register is a ret_event SEC("tracepoint/syscalls/sys_exit_io_uring_register") int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -486,7 +480,6 @@ int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_io_uring_enter is a fd_event SEC("tracepoint/syscalls/sys_enter_io_uring_enter") int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -508,7 +501,6 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_io_uring_enter is a ret_event SEC("tracepoint/syscalls/sys_exit_io_uring_enter") int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -530,7 +522,6 @@ int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_quotactl_fd is a fd_event SEC("tracepoint/syscalls/sys_enter_quotactl_fd") int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -552,7 +543,6 @@ int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_quotactl_fd is a ret_event SEC("tracepoint/syscalls/sys_exit_quotactl_fd") int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -574,7 +564,6 @@ int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_flock is a fd_event SEC("tracepoint/syscalls/sys_enter_flock") int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -596,7 +585,6 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_flock is a ret_event SEC("tracepoint/syscalls/sys_exit_flock") int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -618,7 +606,6 @@ int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fanotify_mark is a path_event SEC("tracepoint/syscalls/sys_enter_fanotify_mark") int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -641,7 +628,6 @@ int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_fanotify_mark is a ret_event SEC("tracepoint/syscalls/sys_exit_fanotify_mark") int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -663,7 +649,6 @@ int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_inotify_add_watch is a path_event SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -686,7 +671,6 @@ int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_inotify_add_watch is a ret_event SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -708,7 +692,6 @@ int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_statfs is a path_event SEC("tracepoint/syscalls/sys_enter_statfs") int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -731,7 +714,6 @@ int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_statfs is a ret_event SEC("tracepoint/syscalls/sys_exit_statfs") int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -753,7 +735,6 @@ int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fstatfs is a fd_event SEC("tracepoint/syscalls/sys_enter_fstatfs") int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -775,7 +756,6 @@ int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_fstatfs is a ret_event SEC("tracepoint/syscalls/sys_exit_fstatfs") int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -797,32 +777,28 @@ int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_utimensat is a open_event SEC("tracepoint/syscalls/sys_enter_utimensat") int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[3]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_utimensat is a ret_event SEC("tracepoint/syscalls/sys_exit_utimensat") int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -844,32 +820,28 @@ int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_futimesat is a open_event SEC("tracepoint/syscalls/sys_enter_futimesat") int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FUTIMESAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_futimesat is a ret_event SEC("tracepoint/syscalls/sys_exit_futimesat") int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -891,7 +863,6 @@ int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fsync is a fd_event SEC("tracepoint/syscalls/sys_enter_fsync") int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -913,7 +884,6 @@ int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_fsync is a ret_event SEC("tracepoint/syscalls/sys_exit_fsync") int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -935,7 +905,6 @@ int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fdatasync is a fd_event SEC("tracepoint/syscalls/sys_enter_fdatasync") int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -957,7 +926,6 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_fdatasync is a ret_event SEC("tracepoint/syscalls/sys_exit_fdatasync") int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -979,7 +947,6 @@ int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_setxattrat is a path_event SEC("tracepoint/syscalls/sys_enter_setxattrat") int handle_sys_enter_setxattrat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1002,7 +969,6 @@ int handle_sys_enter_setxattrat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_setxattrat is a ret_event SEC("tracepoint/syscalls/sys_exit_setxattrat") int handle_sys_exit_setxattrat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1024,7 +990,6 @@ int handle_sys_exit_setxattrat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_setxattr is a path_event SEC("tracepoint/syscalls/sys_enter_setxattr") int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1047,7 +1012,6 @@ int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_setxattr is a ret_event SEC("tracepoint/syscalls/sys_exit_setxattr") int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1069,7 +1033,6 @@ int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_lsetxattr is a path_event SEC("tracepoint/syscalls/sys_enter_lsetxattr") int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1092,7 +1055,6 @@ int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_lsetxattr is a ret_event SEC("tracepoint/syscalls/sys_exit_lsetxattr") int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1114,7 +1076,6 @@ int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_getxattrat is a path_event SEC("tracepoint/syscalls/sys_enter_getxattrat") int handle_sys_enter_getxattrat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1137,7 +1098,6 @@ int handle_sys_enter_getxattrat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_getxattrat is a ret_event SEC("tracepoint/syscalls/sys_exit_getxattrat") int handle_sys_exit_getxattrat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1159,7 +1119,6 @@ int handle_sys_exit_getxattrat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_getxattr is a path_event SEC("tracepoint/syscalls/sys_enter_getxattr") int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1182,7 +1141,6 @@ int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_getxattr is a ret_event SEC("tracepoint/syscalls/sys_exit_getxattr") int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1204,7 +1162,6 @@ int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_lgetxattr is a path_event SEC("tracepoint/syscalls/sys_enter_lgetxattr") int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1227,7 +1184,6 @@ int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_lgetxattr is a ret_event SEC("tracepoint/syscalls/sys_exit_lgetxattr") int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1249,7 +1205,6 @@ int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_listxattrat is a path_event SEC("tracepoint/syscalls/sys_enter_listxattrat") int handle_sys_enter_listxattrat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1272,7 +1227,6 @@ int handle_sys_enter_listxattrat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_listxattrat is a ret_event SEC("tracepoint/syscalls/sys_exit_listxattrat") int handle_sys_exit_listxattrat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1294,7 +1248,6 @@ int handle_sys_exit_listxattrat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_listxattr is a path_event SEC("tracepoint/syscalls/sys_enter_listxattr") int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1317,7 +1270,6 @@ int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_listxattr is a ret_event SEC("tracepoint/syscalls/sys_exit_listxattr") int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1339,7 +1291,6 @@ int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_llistxattr is a path_event SEC("tracepoint/syscalls/sys_enter_llistxattr") int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1362,7 +1313,6 @@ int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_llistxattr is a ret_event SEC("tracepoint/syscalls/sys_exit_llistxattr") int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1384,7 +1334,6 @@ int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_removexattrat is a path_event SEC("tracepoint/syscalls/sys_enter_removexattrat") int handle_sys_enter_removexattrat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1407,7 +1356,6 @@ int handle_sys_enter_removexattrat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_removexattrat is a ret_event SEC("tracepoint/syscalls/sys_exit_removexattrat") int handle_sys_exit_removexattrat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1429,7 +1377,6 @@ int handle_sys_exit_removexattrat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_removexattr is a path_event SEC("tracepoint/syscalls/sys_enter_removexattr") int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1452,7 +1399,6 @@ int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_removexattr is a ret_event SEC("tracepoint/syscalls/sys_exit_removexattr") int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1474,7 +1420,6 @@ int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_lremovexattr is a path_event SEC("tracepoint/syscalls/sys_enter_lremovexattr") int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1497,7 +1442,6 @@ int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_lremovexattr is a ret_event SEC("tracepoint/syscalls/sys_exit_lremovexattr") int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1519,7 +1463,6 @@ int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_open_tree is a open_event SEC("tracepoint/syscalls/sys_enter_open_tree") int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1544,7 +1487,6 @@ int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_open_tree is a ret_event SEC("tracepoint/syscalls/sys_exit_open_tree") int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1566,7 +1508,6 @@ int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_close_range is a fd_event SEC("tracepoint/syscalls/sys_enter_close_range") int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1588,7 +1529,6 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_close_range is a ret_event SEC("tracepoint/syscalls/sys_exit_close_range") int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1610,7 +1550,6 @@ int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_getdents is a fd_event SEC("tracepoint/syscalls/sys_enter_getdents") int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1632,7 +1571,6 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_getdents is a ret_event SEC("tracepoint/syscalls/sys_exit_getdents") int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1654,7 +1592,6 @@ int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_getdents64 is a fd_event SEC("tracepoint/syscalls/sys_enter_getdents64") int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1676,7 +1613,6 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_getdents64 is a ret_event SEC("tracepoint/syscalls/sys_exit_getdents64") int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1698,124 +1634,29 @@ int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_ioctl is a fd_event SEC("tracepoint/syscalls/sys_enter_ioctl") -int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IOCTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -// sys_exit_ioctl is a ret_event -SEC("tracepoint/syscalls/sys_exit_ioctl") -int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IOCTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -// sys_enter_fcntl is a fcntl_event -SEC("tracepoint/syscalls/sys_enter_fcntl") -int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FCNTL_EVENT; - ev->trace_id = SYS_ENTER_FCNTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = ctx->args[0]; - ev->cmd = ctx->args[1]; - ev->arg = ctx->args[2]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -// sys_exit_fcntl is a ret_event -SEC("tracepoint/syscalls/sys_exit_fcntl") -int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCNTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -// sys_enter_mknodat is a open_event -SEC("tracepoint/syscalls/sys_enter_mknodat") -int handle_sys_enter_mknodat(struct trace_event_raw_sys_enter *ctx) { +int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_MKNODAT; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_mknodat is a ret_event -SEC("tracepoint/syscalls/sys_exit_mknodat") -int handle_sys_exit_mknodat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_ioctl") +int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1825,7 +1666,7 @@ int handle_sys_exit_mknodat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKNODAT; + ev->trace_id = SYS_EXIT_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1835,34 +1676,31 @@ int handle_sys_exit_mknodat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_mknod is a open_event -SEC("tracepoint/syscalls/sys_enter_mknod") -int handle_sys_enter_mknod(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fcntl") +int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_MKNOD; + ev->event_type = ENTER_FCNTL_EVENT; + ev->trace_id = SYS_ENTER_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + ev->fd = ctx->args[0]; + ev->cmd = ctx->args[1]; + ev->arg = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_mknod is a ret_event -SEC("tracepoint/syscalls/sys_exit_mknod") -int handle_sys_exit_mknod(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fcntl") +int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1872,7 +1710,7 @@ int handle_sys_exit_mknod(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKNOD; + ev->trace_id = SYS_EXIT_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1882,7 +1720,6 @@ int handle_sys_exit_mknod(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_mkdirat is a path_event SEC("tracepoint/syscalls/sys_enter_mkdirat") int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1905,7 +1742,6 @@ int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_mkdirat is a ret_event SEC("tracepoint/syscalls/sys_exit_mkdirat") int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1927,7 +1763,6 @@ int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_mkdir is a path_event SEC("tracepoint/syscalls/sys_enter_mkdir") int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1950,7 +1785,6 @@ int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_mkdir is a ret_event SEC("tracepoint/syscalls/sys_exit_mkdir") int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1972,7 +1806,6 @@ int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_rmdir is a path_event SEC("tracepoint/syscalls/sys_enter_rmdir") int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -1995,7 +1828,6 @@ int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_rmdir is a ret_event SEC("tracepoint/syscalls/sys_exit_rmdir") int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2017,7 +1849,6 @@ int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_unlinkat is a path_event SEC("tracepoint/syscalls/sys_enter_unlinkat") int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2040,7 +1871,6 @@ int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_unlinkat is a ret_event SEC("tracepoint/syscalls/sys_exit_unlinkat") int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2062,7 +1892,6 @@ int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_unlink is a path_event SEC("tracepoint/syscalls/sys_enter_unlink") int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2085,7 +1914,6 @@ int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_unlink is a ret_event SEC("tracepoint/syscalls/sys_exit_unlink") int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2107,7 +1935,6 @@ int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_symlinkat is a name_event SEC("tracepoint/syscalls/sys_enter_symlinkat") int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2131,7 +1958,6 @@ int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_symlinkat is a ret_event SEC("tracepoint/syscalls/sys_exit_symlinkat") int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2153,7 +1979,6 @@ int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_symlink is a name_event SEC("tracepoint/syscalls/sys_enter_symlink") int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2177,7 +2002,6 @@ int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_symlink is a ret_event SEC("tracepoint/syscalls/sys_exit_symlink") int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2199,7 +2023,6 @@ int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_linkat is a name_event SEC("tracepoint/syscalls/sys_enter_linkat") int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2223,7 +2046,6 @@ int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_linkat is a ret_event SEC("tracepoint/syscalls/sys_exit_linkat") int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2245,7 +2067,6 @@ int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_link is a name_event SEC("tracepoint/syscalls/sys_enter_link") int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2269,7 +2090,6 @@ int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_link is a ret_event SEC("tracepoint/syscalls/sys_exit_link") int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2291,7 +2111,6 @@ int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_renameat2 is a name_event SEC("tracepoint/syscalls/sys_enter_renameat2") int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2315,7 +2134,6 @@ int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_renameat2 is a ret_event SEC("tracepoint/syscalls/sys_exit_renameat2") int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2337,7 +2155,6 @@ int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_renameat is a name_event SEC("tracepoint/syscalls/sys_enter_renameat") int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2361,7 +2178,6 @@ int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_renameat is a ret_event SEC("tracepoint/syscalls/sys_exit_renameat") int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2383,7 +2199,6 @@ int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_rename is a name_event SEC("tracepoint/syscalls/sys_enter_rename") int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2407,7 +2222,6 @@ int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_rename is a ret_event SEC("tracepoint/syscalls/sys_exit_rename") int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2429,126 +2243,28 @@ int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_execve is a open_event -SEC("tracepoint/syscalls/sys_enter_execve") -int handle_sys_enter_execve(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_EXECVE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -// sys_exit_execve is a ret_event -SEC("tracepoint/syscalls/sys_exit_execve") -int handle_sys_exit_execve(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_EXECVE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -// sys_enter_execveat is a open_event -SEC("tracepoint/syscalls/sys_enter_execveat") -int handle_sys_enter_execveat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_EXECVEAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[4]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -// sys_exit_execveat is a ret_event -SEC("tracepoint/syscalls/sys_exit_execveat") -int handle_sys_exit_execveat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_EXECVEAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -// sys_enter_newstat is a open_event SEC("tracepoint/syscalls/sys_enter_newstat") int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_newstat is a ret_event SEC("tracepoint/syscalls/sys_exit_newstat") int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2570,32 +2286,28 @@ int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_newlstat is a open_event SEC("tracepoint/syscalls/sys_enter_newlstat") int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_newlstat is a ret_event SEC("tracepoint/syscalls/sys_exit_newlstat") int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2617,32 +2329,28 @@ int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_newfstatat is a open_event SEC("tracepoint/syscalls/sys_enter_newfstatat") int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWFSTATAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_newfstatat is a ret_event SEC("tracepoint/syscalls/sys_exit_newfstatat") int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2664,7 +2372,6 @@ int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_newfstat is a fd_event SEC("tracepoint/syscalls/sys_enter_newfstat") int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2686,7 +2393,6 @@ int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_newfstat is a ret_event SEC("tracepoint/syscalls/sys_exit_newfstat") int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2708,7 +2414,6 @@ int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_readlinkat is a path_event SEC("tracepoint/syscalls/sys_enter_readlinkat") int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2731,7 +2436,6 @@ int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_readlinkat is a ret_event SEC("tracepoint/syscalls/sys_exit_readlinkat") int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2753,32 +2457,28 @@ int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_statx is a open_event SEC("tracepoint/syscalls/sys_enter_statx") int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[2]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_statx is a ret_event SEC("tracepoint/syscalls/sys_exit_statx") int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2800,7 +2500,6 @@ int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_lseek is a fd_event SEC("tracepoint/syscalls/sys_enter_lseek") int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2822,7 +2521,6 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_lseek is a ret_event SEC("tracepoint/syscalls/sys_exit_lseek") int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2844,7 +2542,6 @@ int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_read is a fd_event SEC("tracepoint/syscalls/sys_enter_read") int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2866,7 +2563,6 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_read is a ret_event SEC("tracepoint/syscalls/sys_exit_read") int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2888,7 +2584,6 @@ int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_write is a fd_event SEC("tracepoint/syscalls/sys_enter_write") int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2910,7 +2605,6 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_write is a ret_event SEC("tracepoint/syscalls/sys_exit_write") int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2932,7 +2626,6 @@ int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_pread64 is a fd_event SEC("tracepoint/syscalls/sys_enter_pread64") int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2954,7 +2647,6 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_pread64 is a ret_event SEC("tracepoint/syscalls/sys_exit_pread64") int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -2976,7 +2668,6 @@ int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_pwrite64 is a fd_event SEC("tracepoint/syscalls/sys_enter_pwrite64") int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -2998,7 +2689,6 @@ int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_pwrite64 is a ret_event SEC("tracepoint/syscalls/sys_exit_pwrite64") int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3020,7 +2710,6 @@ int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_ftruncate is a fd_event SEC("tracepoint/syscalls/sys_enter_ftruncate") int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3042,7 +2731,6 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_ftruncate is a ret_event SEC("tracepoint/syscalls/sys_exit_ftruncate") int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3064,32 +2752,28 @@ int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_faccessat is a open_event SEC("tracepoint/syscalls/sys_enter_faccessat") int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_faccessat is a ret_event SEC("tracepoint/syscalls/sys_exit_faccessat") int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3111,32 +2795,28 @@ int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_faccessat2 is a open_event SEC("tracepoint/syscalls/sys_enter_faccessat2") int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[3]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_faccessat2 is a ret_event SEC("tracepoint/syscalls/sys_exit_faccessat2") int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3158,32 +2838,28 @@ int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_access is a open_event SEC("tracepoint/syscalls/sys_enter_access") int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_access is a ret_event SEC("tracepoint/syscalls/sys_exit_access") int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3205,32 +2881,28 @@ int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_chdir is a open_event SEC("tracepoint/syscalls/sys_enter_chdir") int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_chdir is a ret_event SEC("tracepoint/syscalls/sys_exit_chdir") int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3252,7 +2924,6 @@ int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fchdir is a fd_event SEC("tracepoint/syscalls/sys_enter_fchdir") int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3274,7 +2945,6 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_fchdir is a ret_event SEC("tracepoint/syscalls/sys_exit_fchdir") int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3296,32 +2966,28 @@ int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_chroot is a open_event SEC("tracepoint/syscalls/sys_enter_chroot") int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_chroot is a ret_event SEC("tracepoint/syscalls/sys_exit_chroot") int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3343,7 +3009,6 @@ int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fchmod is a fd_event SEC("tracepoint/syscalls/sys_enter_fchmod") int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3365,7 +3030,6 @@ int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_fchmod is a ret_event SEC("tracepoint/syscalls/sys_exit_fchmod") int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3387,32 +3051,28 @@ int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fchmodat2 is a open_event SEC("tracepoint/syscalls/sys_enter_fchmodat2") int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[3]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_fchmodat2 is a ret_event SEC("tracepoint/syscalls/sys_exit_fchmodat2") int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3434,32 +3094,28 @@ int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fchmodat is a open_event SEC("tracepoint/syscalls/sys_enter_fchmodat") int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_fchmodat is a ret_event SEC("tracepoint/syscalls/sys_exit_fchmodat") int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3481,32 +3137,28 @@ int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_chmod is a open_event SEC("tracepoint/syscalls/sys_enter_chmod") int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_chmod is a ret_event SEC("tracepoint/syscalls/sys_exit_chmod") int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3528,32 +3180,28 @@ int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fchownat is a open_event SEC("tracepoint/syscalls/sys_enter_fchownat") int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_fchownat is a ret_event SEC("tracepoint/syscalls/sys_exit_fchownat") int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3575,32 +3223,28 @@ int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_chown is a open_event SEC("tracepoint/syscalls/sys_enter_chown") int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_chown is a ret_event SEC("tracepoint/syscalls/sys_exit_chown") int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3622,32 +3266,28 @@ int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_lchown is a open_event SEC("tracepoint/syscalls/sys_enter_lchown") int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -// sys_exit_lchown is a ret_event SEC("tracepoint/syscalls/sys_exit_lchown") int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3669,7 +3309,6 @@ int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_fchown is a fd_event SEC("tracepoint/syscalls/sys_enter_fchown") int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3691,7 +3330,6 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_fchown is a ret_event SEC("tracepoint/syscalls/sys_exit_fchown") int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3713,7 +3351,6 @@ int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_open is a open_event SEC("tracepoint/syscalls/sys_enter_open") int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3738,7 +3375,6 @@ int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_open is a ret_event SEC("tracepoint/syscalls/sys_exit_open") int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3760,7 +3396,6 @@ int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_openat is a open_event SEC("tracepoint/syscalls/sys_enter_openat") int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3785,7 +3420,6 @@ int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_openat is a ret_event SEC("tracepoint/syscalls/sys_exit_openat") int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3807,7 +3441,6 @@ int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_openat2 is a open_event SEC("tracepoint/syscalls/sys_enter_openat2") int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3832,7 +3465,6 @@ int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_openat2 is a ret_event SEC("tracepoint/syscalls/sys_exit_openat2") int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3854,7 +3486,6 @@ int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_creat is a path_event SEC("tracepoint/syscalls/sys_enter_creat") int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3877,7 +3508,6 @@ int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_creat is a ret_event SEC("tracepoint/syscalls/sys_exit_creat") int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3899,7 +3529,6 @@ int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_close is a fd_event SEC("tracepoint/syscalls/sys_enter_close") int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3921,7 +3550,6 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_close is a ret_event SEC("tracepoint/syscalls/sys_exit_close") int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -3943,7 +3571,6 @@ int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { return 0; } -// sys_enter_cachestat is a fd_event SEC("tracepoint/syscalls/sys_enter_cachestat") int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; @@ -3965,7 +3592,6 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { return 0; } -// sys_exit_cachestat is a ret_event SEC("tracepoint/syscalls/sys_exit_cachestat") int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; diff --git a/internal/file/file.go b/internal/file/file.go index dfff134..75fcbe1 100644 --- a/internal/file/file.go +++ b/internal/file/file.go @@ -30,7 +30,6 @@ func NewFd(fd int32, name []byte, flags int32) FdFile { Flags: flags, } if f.Flags == -1 { - // TODO: newfstatat is not an open syscall! change code generator! panic(fmt.Sprintf("DEBUG with -1 flags: %v", f)) } return f diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go index 5cc6223..e6ed9ee 100644 --- a/internal/tracepoints/generated_tracepoints.go +++ b/internal/tracepoints/generated_tracepoints.go @@ -62,10 +62,6 @@ var List = []string{ "sys_exit_ioctl", "sys_enter_fcntl", "sys_exit_fcntl", - "sys_enter_mknodat", - "sys_exit_mknodat", - "sys_enter_mknod", - "sys_exit_mknod", "sys_enter_mkdirat", "sys_exit_mkdirat", "sys_enter_mkdir", @@ -90,10 +86,6 @@ var List = []string{ "sys_exit_renameat", "sys_enter_rename", "sys_exit_rename", - "sys_enter_execve", - "sys_exit_execve", - "sys_enter_execveat", - "sys_exit_execveat", "sys_enter_newstat", "sys_exit_newstat", "sys_enter_newlstat", diff --git a/internal/types/generated_types.go b/internal/types/generated_types.go index e939ae0..fcebe01 100644 --- a/internal/types/generated_types.go +++ b/internal/types/generated_types.go @@ -12,11 +12,11 @@ type EventType uint32 type TraceId uint32 var traceId2String = map[TraceId]string{ - 1513: "enter_io_uring_register", 1512: "exit_io_uring_register", 1494: "enter_io_uring_enter", 1493: "exit_io_uring_enter", 1151: "enter_quotactl_fd", 1150: "exit_quotactl_fd", 1120: "enter_flock", 1119: "exit_flock", 1062: "enter_fanotify_mark", 1061: "exit_fanotify_mark", 1056: "enter_inotify_add_watch", 1055: "exit_inotify_add_watch", 1046: "enter_statfs", 1045: "exit_statfs", 1044: "enter_fstatfs", 1043: "exit_fstatfs", 1038: "enter_utimensat", 1037: "exit_utimensat", 1036: "enter_futimesat", 1035: "exit_futimesat", 1026: "enter_fsync", 1025: "exit_fsync", 1024: "enter_fdatasync", 1023: "exit_fdatasync", 982: "enter_setxattrat", 981: "exit_setxattrat", 980: "enter_setxattr", 979: "exit_setxattr", 978: "enter_lsetxattr", 977: "exit_lsetxattr", 974: "enter_getxattrat", 973: "exit_getxattrat", 972: "enter_getxattr", 971: "exit_getxattr", 970: "enter_lgetxattr", 969: "exit_lgetxattr", 966: "enter_listxattrat", 965: "exit_listxattrat", 964: "enter_listxattr", 963: "exit_listxattr", 962: "enter_llistxattr", 961: "exit_llistxattr", 958: "enter_removexattrat", 957: "exit_removexattrat", 956: "enter_removexattr", 955: "exit_removexattr", 954: "enter_lremovexattr", 953: "exit_lremovexattr", 948: "enter_open_tree", 947: "exit_open_tree", 930: "enter_close_range", 929: "exit_close_range", 910: "enter_getdents", 909: "exit_getdents", 908: "enter_getdents64", 907: "exit_getdents64", 906: "enter_ioctl", 905: "exit_ioctl", 904: "enter_fcntl", 903: "exit_fcntl", 902: "enter_mknodat", 901: "exit_mknodat", 900: "enter_mknod", 899: "exit_mknod", 898: "enter_mkdirat", 897: "exit_mkdirat", 896: "enter_mkdir", 895: "exit_mkdir", 894: "enter_rmdir", 893: "exit_rmdir", 892: "enter_unlinkat", 891: "exit_unlinkat", 890: "enter_unlink", 889: "exit_unlink", 888: "enter_symlinkat", 887: "exit_symlinkat", 886: "enter_symlink", 885: "exit_symlink", 884: "enter_linkat", 883: "exit_linkat", 882: "enter_link", 881: "exit_link", 880: "enter_renameat2", 879: "exit_renameat2", 878: "enter_renameat", 877: "exit_renameat", 876: "enter_rename", 875: "exit_rename", 870: "enter_execve", 869: "exit_execve", 868: "enter_execveat", 867: "exit_execveat", 866: "enter_newstat", 865: "exit_newstat", 864: "enter_newlstat", 863: "exit_newlstat", 862: "enter_newfstatat", 861: "exit_newfstatat", 860: "enter_newfstat", 859: "exit_newfstat", 858: "enter_readlinkat", 857: "exit_readlinkat", 854: "enter_statx", 853: "exit_statx", 852: "enter_lseek", 851: "exit_lseek", 850: "enter_read", 849: "exit_read", 848: "enter_write", 847: "exit_write", 846: "enter_pread64", 845: "exit_pread64", 844: "enter_pwrite64", 843: "exit_pwrite64", 824: "enter_ftruncate", 823: "exit_ftruncate", 820: "enter_faccessat", 819: "exit_faccessat", 818: "enter_faccessat2", 817: "exit_faccessat2", 816: "enter_access", 815: "exit_access", 814: "enter_chdir", 813: "exit_chdir", 812: "enter_fchdir", 811: "exit_fchdir", 810: "enter_chroot", 809: "exit_chroot", 808: "enter_fchmod", 807: "exit_fchmod", 806: "enter_fchmodat2", 805: "exit_fchmodat2", 804: "enter_fchmodat", 803: "exit_fchmodat", 802: "enter_chmod", 801: "exit_chmod", 800: "enter_fchownat", 799: "exit_fchownat", 798: "enter_chown", 797: "exit_chown", 796: "enter_lchown", 795: "exit_lchown", 794: "enter_fchown", 793: "exit_fchown", 792: "enter_open", 791: "exit_open", 790: "enter_openat", 789: "exit_openat", 788: "enter_openat2", 787: "exit_openat2", 786: "enter_creat", 785: "exit_creat", 784: "enter_close", 783: "exit_close", 599: "enter_cachestat", 598: "exit_cachestat", + 1513: "enter_io_uring_register", 1512: "exit_io_uring_register", 1494: "enter_io_uring_enter", 1493: "exit_io_uring_enter", 1151: "enter_quotactl_fd", 1150: "exit_quotactl_fd", 1120: "enter_flock", 1119: "exit_flock", 1062: "enter_fanotify_mark", 1061: "exit_fanotify_mark", 1056: "enter_inotify_add_watch", 1055: "exit_inotify_add_watch", 1046: "enter_statfs", 1045: "exit_statfs", 1044: "enter_fstatfs", 1043: "exit_fstatfs", 1038: "enter_utimensat", 1037: "exit_utimensat", 1036: "enter_futimesat", 1035: "exit_futimesat", 1026: "enter_fsync", 1025: "exit_fsync", 1024: "enter_fdatasync", 1023: "exit_fdatasync", 982: "enter_setxattrat", 981: "exit_setxattrat", 980: "enter_setxattr", 979: "exit_setxattr", 978: "enter_lsetxattr", 977: "exit_lsetxattr", 974: "enter_getxattrat", 973: "exit_getxattrat", 972: "enter_getxattr", 971: "exit_getxattr", 970: "enter_lgetxattr", 969: "exit_lgetxattr", 966: "enter_listxattrat", 965: "exit_listxattrat", 964: "enter_listxattr", 963: "exit_listxattr", 962: "enter_llistxattr", 961: "exit_llistxattr", 958: "enter_removexattrat", 957: "exit_removexattrat", 956: "enter_removexattr", 955: "exit_removexattr", 954: "enter_lremovexattr", 953: "exit_lremovexattr", 948: "enter_open_tree", 947: "exit_open_tree", 930: "enter_close_range", 929: "exit_close_range", 910: "enter_getdents", 909: "exit_getdents", 908: "enter_getdents64", 907: "exit_getdents64", 906: "enter_ioctl", 905: "exit_ioctl", 904: "enter_fcntl", 903: "exit_fcntl", 898: "enter_mkdirat", 897: "exit_mkdirat", 896: "enter_mkdir", 895: "exit_mkdir", 894: "enter_rmdir", 893: "exit_rmdir", 892: "enter_unlinkat", 891: "exit_unlinkat", 890: "enter_unlink", 889: "exit_unlink", 888: "enter_symlinkat", 887: "exit_symlinkat", 886: "enter_symlink", 885: "exit_symlink", 884: "enter_linkat", 883: "exit_linkat", 882: "enter_link", 881: "exit_link", 880: "enter_renameat2", 879: "exit_renameat2", 878: "enter_renameat", 877: "exit_renameat", 876: "enter_rename", 875: "exit_rename", 866: "enter_newstat", 865: "exit_newstat", 864: "enter_newlstat", 863: "exit_newlstat", 862: "enter_newfstatat", 861: "exit_newfstatat", 860: "enter_newfstat", 859: "exit_newfstat", 858: "enter_readlinkat", 857: "exit_readlinkat", 854: "enter_statx", 853: "exit_statx", 852: "enter_lseek", 851: "exit_lseek", 850: "enter_read", 849: "exit_read", 848: "enter_write", 847: "exit_write", 846: "enter_pread64", 845: "exit_pread64", 844: "enter_pwrite64", 843: "exit_pwrite64", 824: "enter_ftruncate", 823: "exit_ftruncate", 820: "enter_faccessat", 819: "exit_faccessat", 818: "enter_faccessat2", 817: "exit_faccessat2", 816: "enter_access", 815: "exit_access", 814: "enter_chdir", 813: "exit_chdir", 812: "enter_fchdir", 811: "exit_fchdir", 810: "enter_chroot", 809: "exit_chroot", 808: "enter_fchmod", 807: "exit_fchmod", 806: "enter_fchmodat2", 805: "exit_fchmodat2", 804: "enter_fchmodat", 803: "exit_fchmodat", 802: "enter_chmod", 801: "exit_chmod", 800: "enter_fchownat", 799: "exit_fchownat", 798: "enter_chown", 797: "exit_chown", 796: "enter_lchown", 795: "exit_lchown", 794: "enter_fchown", 793: "exit_fchown", 792: "enter_open", 791: "exit_open", 790: "enter_openat", 789: "exit_openat", 788: "enter_openat2", 787: "exit_openat2", 786: "enter_creat", 785: "exit_creat", 784: "enter_close", 783: "exit_close", 599: "enter_cachestat", 598: "exit_cachestat", } var traceId2Name = map[TraceId]string{ - 1513: "io_uring_register", 1512: "io_uring_register", 1494: "io_uring_enter", 1493: "io_uring_enter", 1151: "quotactl_fd", 1150: "quotactl_fd", 1120: "flock", 1119: "flock", 1062: "fanotify_mark", 1061: "fanotify_mark", 1056: "inotify_add_watch", 1055: "inotify_add_watch", 1046: "statfs", 1045: "statfs", 1044: "fstatfs", 1043: "fstatfs", 1038: "utimensat", 1037: "utimensat", 1036: "futimesat", 1035: "futimesat", 1026: "fsync", 1025: "fsync", 1024: "fdatasync", 1023: "fdatasync", 982: "setxattrat", 981: "setxattrat", 980: "setxattr", 979: "setxattr", 978: "lsetxattr", 977: "lsetxattr", 974: "getxattrat", 973: "getxattrat", 972: "getxattr", 971: "getxattr", 970: "lgetxattr", 969: "lgetxattr", 966: "listxattrat", 965: "listxattrat", 964: "listxattr", 963: "listxattr", 962: "llistxattr", 961: "llistxattr", 958: "removexattrat", 957: "removexattrat", 956: "removexattr", 955: "removexattr", 954: "lremovexattr", 953: "lremovexattr", 948: "open_tree", 947: "open_tree", 930: "close_range", 929: "close_range", 910: "getdents", 909: "getdents", 908: "getdents64", 907: "getdents64", 906: "ioctl", 905: "ioctl", 904: "fcntl", 903: "fcntl", 902: "mknodat", 901: "mknodat", 900: "mknod", 899: "mknod", 898: "mkdirat", 897: "mkdirat", 896: "mkdir", 895: "mkdir", 894: "rmdir", 893: "rmdir", 892: "unlinkat", 891: "unlinkat", 890: "unlink", 889: "unlink", 888: "symlinkat", 887: "symlinkat", 886: "symlink", 885: "symlink", 884: "linkat", 883: "linkat", 882: "link", 881: "link", 880: "renameat2", 879: "renameat2", 878: "renameat", 877: "renameat", 876: "rename", 875: "rename", 870: "execve", 869: "execve", 868: "execveat", 867: "execveat", 866: "newstat", 865: "newstat", 864: "newlstat", 863: "newlstat", 862: "newfstatat", 861: "newfstatat", 860: "newfstat", 859: "newfstat", 858: "readlinkat", 857: "readlinkat", 854: "statx", 853: "statx", 852: "lseek", 851: "lseek", 850: "read", 849: "read", 848: "write", 847: "write", 846: "pread64", 845: "pread64", 844: "pwrite64", 843: "pwrite64", 824: "ftruncate", 823: "ftruncate", 820: "faccessat", 819: "faccessat", 818: "faccessat2", 817: "faccessat2", 816: "access", 815: "access", 814: "chdir", 813: "chdir", 812: "fchdir", 811: "fchdir", 810: "chroot", 809: "chroot", 808: "fchmod", 807: "fchmod", 806: "fchmodat2", 805: "fchmodat2", 804: "fchmodat", 803: "fchmodat", 802: "chmod", 801: "chmod", 800: "fchownat", 799: "fchownat", 798: "chown", 797: "chown", 796: "lchown", 795: "lchown", 794: "fchown", 793: "fchown", 792: "open", 791: "open", 790: "openat", 789: "openat", 788: "openat2", 787: "openat2", 786: "creat", 785: "creat", 784: "close", 783: "close", 599: "cachestat", 598: "cachestat", + 1513: "io_uring_register", 1512: "io_uring_register", 1494: "io_uring_enter", 1493: "io_uring_enter", 1151: "quotactl_fd", 1150: "quotactl_fd", 1120: "flock", 1119: "flock", 1062: "fanotify_mark", 1061: "fanotify_mark", 1056: "inotify_add_watch", 1055: "inotify_add_watch", 1046: "statfs", 1045: "statfs", 1044: "fstatfs", 1043: "fstatfs", 1038: "utimensat", 1037: "utimensat", 1036: "futimesat", 1035: "futimesat", 1026: "fsync", 1025: "fsync", 1024: "fdatasync", 1023: "fdatasync", 982: "setxattrat", 981: "setxattrat", 980: "setxattr", 979: "setxattr", 978: "lsetxattr", 977: "lsetxattr", 974: "getxattrat", 973: "getxattrat", 972: "getxattr", 971: "getxattr", 970: "lgetxattr", 969: "lgetxattr", 966: "listxattrat", 965: "listxattrat", 964: "listxattr", 963: "listxattr", 962: "llistxattr", 961: "llistxattr", 958: "removexattrat", 957: "removexattrat", 956: "removexattr", 955: "removexattr", 954: "lremovexattr", 953: "lremovexattr", 948: "open_tree", 947: "open_tree", 930: "close_range", 929: "close_range", 910: "getdents", 909: "getdents", 908: "getdents64", 907: "getdents64", 906: "ioctl", 905: "ioctl", 904: "fcntl", 903: "fcntl", 898: "mkdirat", 897: "mkdirat", 896: "mkdir", 895: "mkdir", 894: "rmdir", 893: "rmdir", 892: "unlinkat", 891: "unlinkat", 890: "unlink", 889: "unlink", 888: "symlinkat", 887: "symlinkat", 886: "symlink", 885: "symlink", 884: "linkat", 883: "linkat", 882: "link", 881: "link", 880: "renameat2", 879: "renameat2", 878: "renameat", 877: "renameat", 876: "rename", 875: "rename", 866: "newstat", 865: "newstat", 864: "newlstat", 863: "newlstat", 862: "newfstatat", 861: "newfstatat", 860: "newfstat", 859: "newfstat", 858: "readlinkat", 857: "readlinkat", 854: "statx", 853: "statx", 852: "lseek", 851: "lseek", 850: "read", 849: "read", 848: "write", 847: "write", 846: "pread64", 845: "pread64", 844: "pwrite64", 843: "pwrite64", 824: "ftruncate", 823: "ftruncate", 820: "faccessat", 819: "faccessat", 818: "faccessat2", 817: "faccessat2", 816: "access", 815: "access", 814: "chdir", 813: "chdir", 812: "fchdir", 811: "fchdir", 810: "chroot", 809: "chroot", 808: "fchmod", 807: "fchmod", 806: "fchmodat2", 805: "fchmodat2", 804: "fchmodat", 803: "fchmodat", 802: "chmod", 801: "chmod", 800: "fchownat", 799: "fchownat", 798: "chown", 797: "chown", 796: "lchown", 795: "lchown", 794: "fchown", 793: "fchown", 792: "open", 791: "open", 790: "openat", 789: "openat", 788: "openat2", 787: "openat2", 786: "creat", 785: "creat", 784: "close", 783: "close", 599: "cachestat", 598: "cachestat", } func (s TraceId) String() string { @@ -466,10 +466,6 @@ const SYS_ENTER_IOCTL TraceId = 906 const SYS_EXIT_IOCTL TraceId = 905 const SYS_ENTER_FCNTL TraceId = 904 const SYS_EXIT_FCNTL TraceId = 903 -const SYS_ENTER_MKNODAT TraceId = 902 -const SYS_EXIT_MKNODAT TraceId = 901 -const SYS_ENTER_MKNOD TraceId = 900 -const SYS_EXIT_MKNOD TraceId = 899 const SYS_ENTER_MKDIRAT TraceId = 898 const SYS_EXIT_MKDIRAT TraceId = 897 const SYS_ENTER_MKDIR TraceId = 896 @@ -494,10 +490,6 @@ const SYS_ENTER_RENAMEAT TraceId = 878 const SYS_EXIT_RENAMEAT TraceId = 877 const SYS_ENTER_RENAME TraceId = 876 const SYS_EXIT_RENAME TraceId = 875 -const SYS_ENTER_EXECVE TraceId = 870 -const SYS_EXIT_EXECVE TraceId = 869 -const SYS_ENTER_EXECVEAT TraceId = 868 -const SYS_EXIT_EXECVEAT TraceId = 867 const SYS_ENTER_NEWSTAT TraceId = 866 const SYS_EXIT_NEWSTAT TraceId = 865 const SYS_ENTER_NEWLSTAT TraceId = 864 -- cgit v1.2.3