// Code generated - don't change manually! #define SYS_ENTER_SOCKET 1847 #define SYS_EXIT_SOCKET 1846 #define SYS_ENTER_SOCKETPAIR 1845 #define SYS_EXIT_SOCKETPAIR 1844 #define SYS_ENTER_BIND 1843 #define SYS_EXIT_BIND 1842 #define SYS_ENTER_LISTEN 1841 #define SYS_EXIT_LISTEN 1840 #define SYS_ENTER_ACCEPT4 1839 #define SYS_EXIT_ACCEPT4 1838 #define SYS_ENTER_ACCEPT 1837 #define SYS_EXIT_ACCEPT 1836 #define SYS_ENTER_CONNECT 1835 #define SYS_EXIT_CONNECT 1834 #define SYS_ENTER_GETSOCKNAME 1833 #define SYS_EXIT_GETSOCKNAME 1832 #define SYS_ENTER_GETPEERNAME 1831 #define SYS_EXIT_GETPEERNAME 1830 #define SYS_ENTER_SENDTO 1829 #define SYS_EXIT_SENDTO 1828 #define SYS_ENTER_RECVFROM 1827 #define SYS_EXIT_RECVFROM 1826 #define SYS_ENTER_SETSOCKOPT 1825 #define SYS_EXIT_SETSOCKOPT 1824 #define SYS_ENTER_GETSOCKOPT 1823 #define SYS_EXIT_GETSOCKOPT 1822 #define SYS_ENTER_SHUTDOWN 1821 #define SYS_EXIT_SHUTDOWN 1820 #define SYS_ENTER_SENDMSG 1819 #define SYS_EXIT_SENDMSG 1818 #define SYS_ENTER_SENDMMSG 1817 #define SYS_EXIT_SENDMMSG 1816 #define SYS_ENTER_RECVMSG 1815 #define SYS_EXIT_RECVMSG 1814 #define SYS_ENTER_RECVMMSG 1813 #define SYS_EXIT_RECVMMSG 1812 #define SYS_ENTER_GETRANDOM 1575 #define SYS_EXIT_GETRANDOM 1574 #define SYS_ENTER_IO_URING_REGISTER 1528 #define SYS_EXIT_IO_URING_REGISTER 1527 #define SYS_ENTER_IO_URING_ENTER 1509 #define SYS_EXIT_IO_URING_ENTER 1508 #define SYS_ENTER_IO_URING_SETUP 1507 #define SYS_EXIT_IO_URING_SETUP 1506 #define SYS_ENTER_IOPRIO_SET 1491 #define SYS_EXIT_IOPRIO_SET 1490 #define SYS_ENTER_IOPRIO_GET 1489 #define SYS_EXIT_IOPRIO_GET 1488 #define SYS_ENTER_LANDLOCK_CREATE_RULESET 1463 #define SYS_EXIT_LANDLOCK_CREATE_RULESET 1462 #define SYS_ENTER_LANDLOCK_ADD_RULE 1461 #define SYS_EXIT_LANDLOCK_ADD_RULE 1460 #define SYS_ENTER_LANDLOCK_RESTRICT_SELF 1459 #define SYS_EXIT_LANDLOCK_RESTRICT_SELF 1458 #define SYS_ENTER_LSM_SET_SELF_ATTR 1456 #define SYS_EXIT_LSM_SET_SELF_ATTR 1455 #define SYS_ENTER_LSM_GET_SELF_ATTR 1454 #define SYS_EXIT_LSM_GET_SELF_ATTR 1453 #define SYS_ENTER_LSM_LIST_MODULES 1452 #define SYS_EXIT_LSM_LIST_MODULES 1451 #define SYS_ENTER_ADD_KEY 1449 #define SYS_EXIT_ADD_KEY 1448 #define SYS_ENTER_REQUEST_KEY 1447 #define SYS_EXIT_REQUEST_KEY 1446 #define SYS_ENTER_KEYCTL 1445 #define SYS_EXIT_KEYCTL 1444 #define SYS_ENTER_MQ_OPEN 1443 #define SYS_EXIT_MQ_OPEN 1442 #define SYS_ENTER_MQ_UNLINK 1441 #define SYS_EXIT_MQ_UNLINK 1440 #define SYS_ENTER_MQ_TIMEDSEND 1439 #define SYS_EXIT_MQ_TIMEDSEND 1438 #define SYS_ENTER_MQ_TIMEDRECEIVE 1437 #define SYS_EXIT_MQ_TIMEDRECEIVE 1436 #define SYS_ENTER_MQ_NOTIFY 1435 #define SYS_EXIT_MQ_NOTIFY 1434 #define SYS_ENTER_MQ_GETSETATTR 1433 #define SYS_EXIT_MQ_GETSETATTR 1432 #define SYS_ENTER_SHMGET 1431 #define SYS_EXIT_SHMGET 1430 #define SYS_ENTER_SHMCTL 1429 #define SYS_EXIT_SHMCTL 1428 #define SYS_ENTER_SHMAT 1427 #define SYS_EXIT_SHMAT 1426 #define SYS_ENTER_SHMDT 1425 #define SYS_EXIT_SHMDT 1424 #define SYS_ENTER_SEMGET 1423 #define SYS_EXIT_SEMGET 1422 #define SYS_ENTER_SEMCTL 1421 #define SYS_EXIT_SEMCTL 1420 #define SYS_ENTER_SEMTIMEDOP 1419 #define SYS_EXIT_SEMTIMEDOP 1418 #define SYS_ENTER_SEMOP 1417 #define SYS_EXIT_SEMOP 1416 #define SYS_ENTER_MSGGET 1415 #define SYS_EXIT_MSGGET 1414 #define SYS_ENTER_MSGCTL 1413 #define SYS_EXIT_MSGCTL 1412 #define SYS_ENTER_MSGSND 1411 #define SYS_EXIT_MSGSND 1410 #define SYS_ENTER_MSGRCV 1409 #define SYS_EXIT_MSGRCV 1408 #define SYS_ENTER_QUOTACTL 1164 #define SYS_EXIT_QUOTACTL 1163 #define SYS_ENTER_QUOTACTL_FD 1162 #define SYS_EXIT_QUOTACTL_FD 1161 #define SYS_ENTER_NAME_TO_HANDLE_AT 1146 #define SYS_EXIT_NAME_TO_HANDLE_AT 1145 #define SYS_ENTER_OPEN_BY_HANDLE_AT 1144 #define SYS_EXIT_OPEN_BY_HANDLE_AT 1143 #define SYS_ENTER_FLOCK 1130 #define SYS_EXIT_FLOCK 1129 #define SYS_ENTER_IO_SETUP 1111 #define SYS_EXIT_IO_SETUP 1110 #define SYS_ENTER_IO_DESTROY 1109 #define SYS_EXIT_IO_DESTROY 1108 #define SYS_ENTER_IO_SUBMIT 1107 #define SYS_EXIT_IO_SUBMIT 1106 #define SYS_ENTER_IO_CANCEL 1105 #define SYS_EXIT_IO_CANCEL 1104 #define SYS_ENTER_IO_GETEVENTS 1103 #define SYS_EXIT_IO_GETEVENTS 1102 #define SYS_ENTER_IO_PGETEVENTS 1101 #define SYS_EXIT_IO_PGETEVENTS 1100 #define SYS_ENTER_USERFAULTFD 1099 #define SYS_EXIT_USERFAULTFD 1098 #define SYS_ENTER_EVENTFD2 1097 #define SYS_EXIT_EVENTFD2 1096 #define SYS_ENTER_EVENTFD 1095 #define SYS_EXIT_EVENTFD 1094 #define SYS_ENTER_TIMERFD_CREATE 1093 #define SYS_EXIT_TIMERFD_CREATE 1092 #define SYS_ENTER_TIMERFD_SETTIME 1091 #define SYS_EXIT_TIMERFD_SETTIME 1090 #define SYS_ENTER_TIMERFD_GETTIME 1089 #define SYS_EXIT_TIMERFD_GETTIME 1088 #define SYS_ENTER_SIGNALFD4 1087 #define SYS_EXIT_SIGNALFD4 1086 #define SYS_ENTER_SIGNALFD 1085 #define SYS_EXIT_SIGNALFD 1084 #define SYS_ENTER_EPOLL_CREATE1 1083 #define SYS_EXIT_EPOLL_CREATE1 1082 #define SYS_ENTER_EPOLL_CREATE 1081 #define SYS_EXIT_EPOLL_CREATE 1080 #define SYS_ENTER_EPOLL_CTL 1079 #define SYS_EXIT_EPOLL_CTL 1078 #define SYS_ENTER_EPOLL_WAIT 1077 #define SYS_EXIT_EPOLL_WAIT 1076 #define SYS_ENTER_EPOLL_PWAIT 1075 #define SYS_EXIT_EPOLL_PWAIT 1074 #define SYS_ENTER_EPOLL_PWAIT2 1073 #define SYS_EXIT_EPOLL_PWAIT2 1072 #define SYS_ENTER_FANOTIFY_INIT 1071 #define SYS_EXIT_FANOTIFY_INIT 1070 #define SYS_ENTER_FANOTIFY_MARK 1069 #define SYS_EXIT_FANOTIFY_MARK 1068 #define SYS_ENTER_INOTIFY_INIT1 1067 #define SYS_EXIT_INOTIFY_INIT1 1066 #define SYS_ENTER_INOTIFY_INIT 1065 #define SYS_EXIT_INOTIFY_INIT 1064 #define SYS_ENTER_INOTIFY_ADD_WATCH 1063 #define SYS_EXIT_INOTIFY_ADD_WATCH 1062 #define SYS_ENTER_INOTIFY_RM_WATCH 1061 #define SYS_EXIT_INOTIFY_RM_WATCH 1060 #define SYS_ENTER_FILE_GETATTR 1059 #define SYS_EXIT_FILE_GETATTR 1058 #define SYS_ENTER_FILE_SETATTR 1057 #define SYS_EXIT_FILE_SETATTR 1056 #define SYS_ENTER_FSOPEN 1055 #define SYS_EXIT_FSOPEN 1054 #define SYS_ENTER_FSPICK 1053 #define SYS_EXIT_FSPICK 1052 #define SYS_ENTER_FSCONFIG 1051 #define SYS_EXIT_FSCONFIG 1050 #define SYS_ENTER_STATFS 1049 #define SYS_EXIT_STATFS 1048 #define SYS_ENTER_FSTATFS 1047 #define SYS_EXIT_FSTATFS 1046 #define SYS_ENTER_USTAT 1045 #define SYS_EXIT_USTAT 1044 #define SYS_ENTER_GETCWD 1043 #define SYS_EXIT_GETCWD 1042 #define SYS_ENTER_UTIMENSAT 1041 #define SYS_EXIT_UTIMENSAT 1040 #define SYS_ENTER_FUTIMESAT 1039 #define SYS_EXIT_FUTIMESAT 1038 #define SYS_ENTER_UTIMES 1037 #define SYS_EXIT_UTIMES 1036 #define SYS_ENTER_UTIME 1035 #define SYS_EXIT_UTIME 1034 #define SYS_ENTER_SYNC 1033 #define SYS_EXIT_SYNC 1032 #define SYS_ENTER_SYNCFS 1031 #define SYS_EXIT_SYNCFS 1030 #define SYS_ENTER_FSYNC 1029 #define SYS_EXIT_FSYNC 1028 #define SYS_ENTER_FDATASYNC 1027 #define SYS_EXIT_FDATASYNC 1026 #define SYS_ENTER_SYNC_FILE_RANGE 1025 #define SYS_EXIT_SYNC_FILE_RANGE 1024 #define SYS_ENTER_VMSPLICE 1023 #define SYS_EXIT_VMSPLICE 1022 #define SYS_ENTER_SPLICE 1021 #define SYS_EXIT_SPLICE 1020 #define SYS_ENTER_TEE 1019 #define SYS_EXIT_TEE 1018 #define SYS_ENTER_SETXATTRAT 985 #define SYS_EXIT_SETXATTRAT 984 #define SYS_ENTER_SETXATTR 983 #define SYS_EXIT_SETXATTR 982 #define SYS_ENTER_LSETXATTR 981 #define SYS_EXIT_LSETXATTR 980 #define SYS_ENTER_FSETXATTR 979 #define SYS_EXIT_FSETXATTR 978 #define SYS_ENTER_GETXATTRAT 977 #define SYS_EXIT_GETXATTRAT 976 #define SYS_ENTER_GETXATTR 975 #define SYS_EXIT_GETXATTR 974 #define SYS_ENTER_LGETXATTR 973 #define SYS_EXIT_LGETXATTR 972 #define SYS_ENTER_FGETXATTR 971 #define SYS_EXIT_FGETXATTR 970 #define SYS_ENTER_LISTXATTRAT 969 #define SYS_EXIT_LISTXATTRAT 968 #define SYS_ENTER_LISTXATTR 967 #define SYS_EXIT_LISTXATTR 966 #define SYS_ENTER_LLISTXATTR 965 #define SYS_EXIT_LLISTXATTR 964 #define SYS_ENTER_FLISTXATTR 963 #define SYS_EXIT_FLISTXATTR 962 #define SYS_ENTER_REMOVEXATTRAT 961 #define SYS_EXIT_REMOVEXATTRAT 960 #define SYS_ENTER_REMOVEXATTR 959 #define SYS_EXIT_REMOVEXATTR 958 #define SYS_ENTER_LREMOVEXATTR 957 #define SYS_EXIT_LREMOVEXATTR 956 #define SYS_ENTER_FREMOVEXATTR 955 #define SYS_EXIT_FREMOVEXATTR 954 #define SYS_ENTER_UMOUNT 953 #define SYS_EXIT_UMOUNT 952 #define SYS_ENTER_OPEN_TREE 951 #define SYS_EXIT_OPEN_TREE 950 #define SYS_ENTER_MOUNT 949 #define SYS_EXIT_MOUNT 948 #define SYS_ENTER_FSMOUNT 947 #define SYS_EXIT_FSMOUNT 946 #define SYS_ENTER_MOVE_MOUNT 945 #define SYS_EXIT_MOVE_MOUNT 944 #define SYS_ENTER_PIVOT_ROOT 943 #define SYS_EXIT_PIVOT_ROOT 942 #define SYS_ENTER_MOUNT_SETATTR 941 #define SYS_EXIT_MOUNT_SETATTR 940 #define SYS_ENTER_OPEN_TREE_ATTR 939 #define SYS_EXIT_OPEN_TREE_ATTR 938 #define SYS_ENTER_STATMOUNT 937 #define SYS_EXIT_STATMOUNT 936 #define SYS_ENTER_LISTMOUNT 935 #define SYS_EXIT_LISTMOUNT 934 #define SYS_ENTER_SYSFS 933 #define SYS_EXIT_SYSFS 932 #define SYS_ENTER_CLOSE_RANGE 931 #define SYS_EXIT_CLOSE_RANGE 930 #define SYS_ENTER_DUP3 929 #define SYS_EXIT_DUP3 928 #define SYS_ENTER_DUP2 927 #define SYS_EXIT_DUP2 926 #define SYS_ENTER_DUP 925 #define SYS_EXIT_DUP 924 #define SYS_ENTER_SELECT 919 #define SYS_EXIT_SELECT 918 #define SYS_ENTER_PSELECT6 917 #define SYS_EXIT_PSELECT6 916 #define SYS_ENTER_POLL 915 #define SYS_EXIT_POLL 914 #define SYS_ENTER_PPOLL 913 #define SYS_EXIT_PPOLL 912 #define SYS_ENTER_GETDENTS 911 #define SYS_EXIT_GETDENTS 910 #define SYS_ENTER_GETDENTS64 909 #define SYS_EXIT_GETDENTS64 908 #define SYS_ENTER_IOCTL 907 #define SYS_EXIT_IOCTL 906 #define SYS_ENTER_FCNTL 905 #define SYS_EXIT_FCNTL 904 #define SYS_ENTER_MKNODAT 903 #define SYS_EXIT_MKNODAT 902 #define SYS_ENTER_MKNOD 901 #define SYS_EXIT_MKNOD 900 #define SYS_ENTER_MKDIRAT 899 #define SYS_EXIT_MKDIRAT 898 #define SYS_ENTER_MKDIR 897 #define SYS_EXIT_MKDIR 896 #define SYS_ENTER_RMDIR 895 #define SYS_EXIT_RMDIR 894 #define SYS_ENTER_UNLINKAT 893 #define SYS_EXIT_UNLINKAT 892 #define SYS_ENTER_UNLINK 891 #define SYS_EXIT_UNLINK 890 #define SYS_ENTER_SYMLINKAT 889 #define SYS_EXIT_SYMLINKAT 888 #define SYS_ENTER_SYMLINK 887 #define SYS_EXIT_SYMLINK 886 #define SYS_ENTER_LINKAT 885 #define SYS_EXIT_LINKAT 884 #define SYS_ENTER_LINK 883 #define SYS_EXIT_LINK 882 #define SYS_ENTER_RENAMEAT2 881 #define SYS_EXIT_RENAMEAT2 880 #define SYS_ENTER_RENAMEAT 879 #define SYS_EXIT_RENAMEAT 878 #define SYS_ENTER_RENAME 877 #define SYS_EXIT_RENAME 876 #define SYS_ENTER_PIPE2 875 #define SYS_EXIT_PIPE2 874 #define SYS_ENTER_PIPE 873 #define SYS_EXIT_PIPE 872 #define SYS_ENTER_EXECVE 871 #define SYS_EXIT_EXECVE 870 #define SYS_ENTER_EXECVEAT 869 #define SYS_EXIT_EXECVEAT 868 #define SYS_ENTER_NEWSTAT 867 #define SYS_EXIT_NEWSTAT 866 #define SYS_ENTER_NEWLSTAT 865 #define SYS_EXIT_NEWLSTAT 864 #define SYS_ENTER_NEWFSTATAT 863 #define SYS_EXIT_NEWFSTATAT 862 #define SYS_ENTER_NEWFSTAT 861 #define SYS_EXIT_NEWFSTAT 860 #define SYS_ENTER_READLINKAT 859 #define SYS_EXIT_READLINKAT 858 #define SYS_ENTER_READLINK 857 #define SYS_EXIT_READLINK 856 #define SYS_ENTER_STATX 855 #define SYS_EXIT_STATX 854 #define SYS_ENTER_LSEEK 853 #define SYS_EXIT_LSEEK 852 #define SYS_ENTER_READ 851 #define SYS_EXIT_READ 850 #define SYS_ENTER_WRITE 849 #define SYS_EXIT_WRITE 848 #define SYS_ENTER_PREAD64 847 #define SYS_EXIT_PREAD64 846 #define SYS_ENTER_PWRITE64 845 #define SYS_EXIT_PWRITE64 844 #define SYS_ENTER_READV 843 #define SYS_EXIT_READV 842 #define SYS_ENTER_WRITEV 841 #define SYS_EXIT_WRITEV 840 #define SYS_ENTER_PREADV 839 #define SYS_EXIT_PREADV 838 #define SYS_ENTER_PREADV2 837 #define SYS_EXIT_PREADV2 836 #define SYS_ENTER_PWRITEV 835 #define SYS_EXIT_PWRITEV 834 #define SYS_ENTER_PWRITEV2 833 #define SYS_EXIT_PWRITEV2 832 #define SYS_ENTER_SENDFILE64 831 #define SYS_EXIT_SENDFILE64 830 #define SYS_ENTER_COPY_FILE_RANGE 829 #define SYS_EXIT_COPY_FILE_RANGE 828 #define SYS_ENTER_TRUNCATE 827 #define SYS_EXIT_TRUNCATE 826 #define SYS_ENTER_FTRUNCATE 825 #define SYS_EXIT_FTRUNCATE 824 #define SYS_ENTER_FALLOCATE 823 #define SYS_EXIT_FALLOCATE 822 #define SYS_ENTER_FACCESSAT 821 #define SYS_EXIT_FACCESSAT 820 #define SYS_ENTER_FACCESSAT2 819 #define SYS_EXIT_FACCESSAT2 818 #define SYS_ENTER_ACCESS 817 #define SYS_EXIT_ACCESS 816 #define SYS_ENTER_CHDIR 815 #define SYS_EXIT_CHDIR 814 #define SYS_ENTER_FCHDIR 813 #define SYS_EXIT_FCHDIR 812 #define SYS_ENTER_CHROOT 811 #define SYS_EXIT_CHROOT 810 #define SYS_ENTER_FCHMOD 809 #define SYS_EXIT_FCHMOD 808 #define SYS_ENTER_FCHMODAT2 807 #define SYS_EXIT_FCHMODAT2 806 #define SYS_ENTER_FCHMODAT 805 #define SYS_EXIT_FCHMODAT 804 #define SYS_ENTER_CHMOD 803 #define SYS_EXIT_CHMOD 802 #define SYS_ENTER_FCHOWNAT 801 #define SYS_EXIT_FCHOWNAT 800 #define SYS_ENTER_CHOWN 799 #define SYS_EXIT_CHOWN 798 #define SYS_ENTER_LCHOWN 797 #define SYS_EXIT_LCHOWN 796 #define SYS_ENTER_FCHOWN 795 #define SYS_EXIT_FCHOWN 794 #define SYS_ENTER_OPEN 793 #define SYS_EXIT_OPEN 792 #define SYS_ENTER_OPENAT 791 #define SYS_EXIT_OPENAT 790 #define SYS_ENTER_OPENAT2 789 #define SYS_EXIT_OPENAT2 788 #define SYS_ENTER_CREAT 787 #define SYS_EXIT_CREAT 786 #define SYS_ENTER_CLOSE 785 #define SYS_EXIT_CLOSE 784 #define SYS_ENTER_VHANGUP 783 #define SYS_EXIT_VHANGUP 782 #define SYS_ENTER_MEMFD_CREATE 781 #define SYS_EXIT_MEMFD_CREATE 780 #define SYS_ENTER_MEMFD_SECRET 774 #define SYS_EXIT_MEMFD_SECRET 773 #define SYS_ENTER_MOVE_PAGES 754 #define SYS_EXIT_MOVE_PAGES 753 #define SYS_ENTER_SET_MEMPOLICY_HOME_NODE 743 #define SYS_EXIT_SET_MEMPOLICY_HOME_NODE 742 #define SYS_ENTER_MBIND 741 #define SYS_EXIT_MBIND 740 #define SYS_ENTER_SET_MEMPOLICY 739 #define SYS_EXIT_SET_MEMPOLICY 738 #define SYS_ENTER_MIGRATE_PAGES 737 #define SYS_EXIT_MIGRATE_PAGES 736 #define SYS_ENTER_GET_MEMPOLICY 735 #define SYS_EXIT_GET_MEMPOLICY 734 #define SYS_ENTER_SWAPOFF 733 #define SYS_EXIT_SWAPOFF 732 #define SYS_ENTER_SWAPON 731 #define SYS_EXIT_SWAPON 730 #define SYS_ENTER_MADVISE 729 #define SYS_EXIT_MADVISE 728 #define SYS_ENTER_PROCESS_MADVISE 727 #define SYS_EXIT_PROCESS_MADVISE 726 #define SYS_ENTER_MSEAL 725 #define SYS_EXIT_MSEAL 724 #define SYS_ENTER_PROCESS_VM_READV 723 #define SYS_EXIT_PROCESS_VM_READV 722 #define SYS_ENTER_PROCESS_VM_WRITEV 721 #define SYS_EXIT_PROCESS_VM_WRITEV 720 #define SYS_ENTER_MSYNC 712 #define SYS_EXIT_MSYNC 711 #define SYS_ENTER_MREMAP 710 #define SYS_EXIT_MREMAP 709 #define SYS_ENTER_MPROTECT 708 #define SYS_EXIT_MPROTECT 707 #define SYS_ENTER_PKEY_MPROTECT 706 #define SYS_EXIT_PKEY_MPROTECT 705 #define SYS_ENTER_PKEY_ALLOC 704 #define SYS_EXIT_PKEY_ALLOC 703 #define SYS_ENTER_PKEY_FREE 702 #define SYS_EXIT_PKEY_FREE 701 #define SYS_ENTER_BRK 698 #define SYS_EXIT_BRK 697 #define SYS_ENTER_MUNMAP 696 #define SYS_EXIT_MUNMAP 695 #define SYS_ENTER_REMAP_FILE_PAGES 694 #define SYS_EXIT_REMAP_FILE_PAGES 693 #define SYS_ENTER_MLOCK 692 #define SYS_EXIT_MLOCK 691 #define SYS_ENTER_MLOCK2 690 #define SYS_EXIT_MLOCK2 689 #define SYS_ENTER_MUNLOCK 688 #define SYS_EXIT_MUNLOCK 687 #define SYS_ENTER_MLOCKALL 686 #define SYS_EXIT_MLOCKALL 685 #define SYS_ENTER_MUNLOCKALL 684 #define SYS_EXIT_MUNLOCKALL 683 #define SYS_ENTER_MINCORE 682 #define SYS_EXIT_MINCORE 681 #define SYS_ENTER_READAHEAD 616 #define SYS_EXIT_READAHEAD 615 #define SYS_ENTER_FADVISE64 614 #define SYS_EXIT_FADVISE64 613 #define SYS_ENTER_PROCESS_MRELEASE 604 #define SYS_EXIT_PROCESS_MRELEASE 603 #define SYS_ENTER_CACHESTAT 595 #define SYS_EXIT_CACHESTAT 594 #define SYS_ENTER_RSEQ 591 #define SYS_EXIT_RSEQ 590 #define SYS_ENTER_PERF_EVENT_OPEN 587 #define SYS_EXIT_PERF_EVENT_OPEN 586 #define SYS_ENTER_BPF 585 #define SYS_EXIT_BPF 584 #define SYS_ENTER_SECCOMP 526 #define SYS_EXIT_SECCOMP 525 #define SYS_ENTER_KEXEC_FILE_LOAD 508 #define SYS_EXIT_KEXEC_FILE_LOAD 507 #define SYS_ENTER_KEXEC_LOAD 506 #define SYS_EXIT_KEXEC_LOAD 505 #define SYS_ENTER_ACCT 504 #define SYS_EXIT_ACCT 503 #define SYS_ENTER_SET_ROBUST_LIST 499 #define SYS_EXIT_SET_ROBUST_LIST 498 #define SYS_ENTER_GET_ROBUST_LIST 497 #define SYS_EXIT_GET_ROBUST_LIST 496 #define SYS_ENTER_FUTEX 495 #define SYS_EXIT_FUTEX 494 #define SYS_ENTER_FUTEX_WAITV 493 #define SYS_EXIT_FUTEX_WAITV 492 #define SYS_ENTER_FUTEX_WAKE 491 #define SYS_EXIT_FUTEX_WAKE 490 #define SYS_ENTER_FUTEX_WAIT 489 #define SYS_EXIT_FUTEX_WAIT 488 #define SYS_ENTER_FUTEX_REQUEUE 487 #define SYS_EXIT_FUTEX_REQUEUE 486 #define SYS_ENTER_GETITIMER 471 #define SYS_EXIT_GETITIMER 470 #define SYS_ENTER_ALARM 469 #define SYS_EXIT_ALARM 468 #define SYS_ENTER_SETITIMER 467 #define SYS_EXIT_SETITIMER 466 #define SYS_ENTER_TIMER_CREATE 465 #define SYS_EXIT_TIMER_CREATE 464 #define SYS_ENTER_TIMER_GETTIME 463 #define SYS_EXIT_TIMER_GETTIME 462 #define SYS_ENTER_TIMER_GETOVERRUN 461 #define SYS_EXIT_TIMER_GETOVERRUN 460 #define SYS_ENTER_TIMER_SETTIME 459 #define SYS_EXIT_TIMER_SETTIME 458 #define SYS_ENTER_TIMER_DELETE 457 #define SYS_EXIT_TIMER_DELETE 456 #define SYS_ENTER_CLOCK_SETTIME 455 #define SYS_EXIT_CLOCK_SETTIME 454 #define SYS_ENTER_CLOCK_GETTIME 453 #define SYS_EXIT_CLOCK_GETTIME 452 #define SYS_ENTER_CLOCK_ADJTIME 451 #define SYS_EXIT_CLOCK_ADJTIME 450 #define SYS_ENTER_CLOCK_GETRES 449 #define SYS_EXIT_CLOCK_GETRES 448 #define SYS_ENTER_CLOCK_NANOSLEEP 447 #define SYS_EXIT_CLOCK_NANOSLEEP 446 #define SYS_ENTER_NANOSLEEP 441 #define SYS_EXIT_NANOSLEEP 440 #define SYS_ENTER_TIME 425 #define SYS_EXIT_TIME 424 #define SYS_ENTER_GETTIMEOFDAY 423 #define SYS_EXIT_GETTIMEOFDAY 422 #define SYS_ENTER_SETTIMEOFDAY 421 #define SYS_EXIT_SETTIMEOFDAY 420 #define SYS_ENTER_ADJTIMEX 419 #define SYS_EXIT_ADJTIMEX 418 #define SYS_ENTER_KCMP 417 #define SYS_EXIT_KCMP 416 #define SYS_ENTER_DELETE_MODULE 410 #define SYS_EXIT_DELETE_MODULE 409 #define SYS_ENTER_INIT_MODULE 408 #define SYS_EXIT_INIT_MODULE 407 #define SYS_ENTER_FINIT_MODULE 406 #define SYS_EXIT_FINIT_MODULE 405 #define SYS_ENTER_SYSLOG 350 #define SYS_EXIT_SYSLOG 349 #define SYS_ENTER_MEMBARRIER 346 #define SYS_EXIT_MEMBARRIER 345 #define SYS_ENTER_SCHED_SETSCHEDULER 341 #define SYS_EXIT_SCHED_SETSCHEDULER 340 #define SYS_ENTER_SCHED_SETPARAM 339 #define SYS_EXIT_SCHED_SETPARAM 338 #define SYS_ENTER_SCHED_SETATTR 337 #define SYS_EXIT_SCHED_SETATTR 336 #define SYS_ENTER_SCHED_GETSCHEDULER 335 #define SYS_EXIT_SCHED_GETSCHEDULER 334 #define SYS_ENTER_SCHED_GETPARAM 333 #define SYS_EXIT_SCHED_GETPARAM 332 #define SYS_ENTER_SCHED_GETATTR 331 #define SYS_EXIT_SCHED_GETATTR 330 #define SYS_ENTER_SCHED_SETAFFINITY 329 #define SYS_EXIT_SCHED_SETAFFINITY 328 #define SYS_ENTER_SCHED_GETAFFINITY 327 #define SYS_EXIT_SCHED_GETAFFINITY 326 #define SYS_ENTER_SCHED_YIELD 325 #define SYS_EXIT_SCHED_YIELD 324 #define SYS_ENTER_SCHED_GET_PRIORITY_MAX 323 #define SYS_EXIT_SCHED_GET_PRIORITY_MAX 322 #define SYS_ENTER_SCHED_GET_PRIORITY_MIN 321 #define SYS_EXIT_SCHED_GET_PRIORITY_MIN 320 #define SYS_ENTER_SCHED_RR_GET_INTERVAL 319 #define SYS_EXIT_SCHED_RR_GET_INTERVAL 318 #define SYS_ENTER_GETGROUPS 286 #define SYS_EXIT_GETGROUPS 285 #define SYS_ENTER_SETGROUPS 284 #define SYS_EXIT_SETGROUPS 283 #define SYS_ENTER_REBOOT 282 #define SYS_EXIT_REBOOT 281 #define SYS_ENTER_LISTNS 277 #define SYS_EXIT_LISTNS 276 #define SYS_ENTER_SETNS 275 #define SYS_EXIT_SETNS 274 #define SYS_ENTER_PIDFD_OPEN 273 #define SYS_EXIT_PIDFD_OPEN 272 #define SYS_ENTER_PIDFD_GETFD 271 #define SYS_EXIT_PIDFD_GETFD 270 #define SYS_ENTER_SETPRIORITY 265 #define SYS_EXIT_SETPRIORITY 264 #define SYS_ENTER_GETPRIORITY 263 #define SYS_EXIT_GETPRIORITY 262 #define SYS_ENTER_SETREGID 261 #define SYS_EXIT_SETREGID 260 #define SYS_ENTER_SETGID 259 #define SYS_EXIT_SETGID 258 #define SYS_ENTER_SETREUID 257 #define SYS_EXIT_SETREUID 256 #define SYS_ENTER_SETUID 255 #define SYS_EXIT_SETUID 254 #define SYS_ENTER_SETRESUID 253 #define SYS_EXIT_SETRESUID 252 #define SYS_ENTER_GETRESUID 251 #define SYS_EXIT_GETRESUID 250 #define SYS_ENTER_SETRESGID 249 #define SYS_EXIT_SETRESGID 248 #define SYS_ENTER_GETRESGID 247 #define SYS_EXIT_GETRESGID 246 #define SYS_ENTER_SETFSUID 245 #define SYS_EXIT_SETFSUID 244 #define SYS_ENTER_SETFSGID 243 #define SYS_EXIT_SETFSGID 242 #define SYS_ENTER_GETPID 241 #define SYS_EXIT_GETPID 240 #define SYS_ENTER_GETTID 239 #define SYS_EXIT_GETTID 238 #define SYS_ENTER_GETPPID 237 #define SYS_EXIT_GETPPID 236 #define SYS_ENTER_GETUID 235 #define SYS_EXIT_GETUID 234 #define SYS_ENTER_GETEUID 233 #define SYS_EXIT_GETEUID 232 #define SYS_ENTER_GETGID 231 #define SYS_EXIT_GETGID 230 #define SYS_ENTER_GETEGID 229 #define SYS_EXIT_GETEGID 228 #define SYS_ENTER_TIMES 227 #define SYS_EXIT_TIMES 226 #define SYS_ENTER_SETPGID 225 #define SYS_EXIT_SETPGID 224 #define SYS_ENTER_GETPGID 223 #define SYS_EXIT_GETPGID 222 #define SYS_ENTER_GETPGRP 221 #define SYS_EXIT_GETPGRP 220 #define SYS_ENTER_GETSID 219 #define SYS_EXIT_GETSID 218 #define SYS_ENTER_SETSID 217 #define SYS_EXIT_SETSID 216 #define SYS_ENTER_NEWUNAME 215 #define SYS_EXIT_NEWUNAME 214 #define SYS_ENTER_SETHOSTNAME 213 #define SYS_EXIT_SETHOSTNAME 212 #define SYS_ENTER_SETDOMAINNAME 211 #define SYS_EXIT_SETDOMAINNAME 210 #define SYS_ENTER_GETRLIMIT 209 #define SYS_EXIT_GETRLIMIT 208 #define SYS_ENTER_PRLIMIT64 207 #define SYS_EXIT_PRLIMIT64 206 #define SYS_ENTER_SETRLIMIT 205 #define SYS_EXIT_SETRLIMIT 204 #define SYS_ENTER_GETRUSAGE 203 #define SYS_EXIT_GETRUSAGE 202 #define SYS_ENTER_UMASK 201 #define SYS_EXIT_UMASK 200 #define SYS_ENTER_PRCTL 199 #define SYS_EXIT_PRCTL 198 #define SYS_ENTER_GETCPU 197 #define SYS_EXIT_GETCPU 196 #define SYS_ENTER_SYSINFO 195 #define SYS_EXIT_SYSINFO 194 #define SYS_ENTER_RESTART_SYSCALL 191 #define SYS_EXIT_RESTART_SYSCALL 190 #define SYS_ENTER_RT_SIGPROCMASK 189 #define SYS_EXIT_RT_SIGPROCMASK 188 #define SYS_ENTER_RT_SIGPENDING 187 #define SYS_EXIT_RT_SIGPENDING 186 #define SYS_ENTER_RT_SIGTIMEDWAIT 185 #define SYS_EXIT_RT_SIGTIMEDWAIT 184 #define SYS_ENTER_KILL 183 #define SYS_EXIT_KILL 182 #define SYS_ENTER_PIDFD_SEND_SIGNAL 181 #define SYS_EXIT_PIDFD_SEND_SIGNAL 180 #define SYS_ENTER_TGKILL 179 #define SYS_EXIT_TGKILL 178 #define SYS_ENTER_TKILL 177 #define SYS_EXIT_TKILL 176 #define SYS_ENTER_RT_SIGQUEUEINFO 175 #define SYS_EXIT_RT_SIGQUEUEINFO 174 #define SYS_ENTER_RT_TGSIGQUEUEINFO 173 #define SYS_EXIT_RT_TGSIGQUEUEINFO 172 #define SYS_ENTER_SIGALTSTACK 171 #define SYS_EXIT_SIGALTSTACK 170 #define SYS_ENTER_RT_SIGACTION 169 #define SYS_EXIT_RT_SIGACTION 168 #define SYS_ENTER_PAUSE 167 #define SYS_EXIT_PAUSE 166 #define SYS_ENTER_RT_SIGSUSPEND 165 #define SYS_EXIT_RT_SIGSUSPEND 164 #define SYS_ENTER_PTRACE 163 #define SYS_EXIT_PTRACE 162 #define SYS_ENTER_CAPGET 161 #define SYS_EXIT_CAPGET 160 #define SYS_ENTER_CAPSET 159 #define SYS_EXIT_CAPSET 158 #define SYS_ENTER_EXIT 150 #define SYS_ENTER_EXIT_GROUP 148 #define SYS_ENTER_WAITID 146 #define SYS_EXIT_WAITID 145 #define SYS_ENTER_WAIT4 144 #define SYS_EXIT_WAIT4 143 #define SYS_ENTER_PERSONALITY 139 #define SYS_EXIT_PERSONALITY 138 #define SYS_ENTER_SET_TID_ADDRESS 134 #define SYS_EXIT_SET_TID_ADDRESS 133 #define SYS_ENTER_FORK 132 #define SYS_EXIT_FORK 131 #define SYS_ENTER_VFORK 130 #define SYS_EXIT_VFORK 129 #define SYS_ENTER_CLONE 128 #define SYS_EXIT_CLONE 127 #define SYS_ENTER_CLONE3 126 #define SYS_EXIT_CLONE3 125 #define SYS_ENTER_UNSHARE 124 #define SYS_EXIT_UNSHARE 123 #define SYS_ENTER_MAP_SHADOW_STACK 119 #define SYS_EXIT_MAP_SHADOW_STACK 118 #define SYS_ENTER_URETPROBE 117 #define SYS_EXIT_URETPROBE 116 #define SYS_ENTER_UPROBE 115 #define SYS_EXIT_UPROBE 114 #define SYS_ENTER_ARCH_PRCTL 102 #define SYS_EXIT_ARCH_PRCTL 101 #define SYS_ENTER_MMAP 100 #define SYS_EXIT_MMAP 99 #define SYS_ENTER_MODIFY_LDT 98 #define SYS_EXIT_MODIFY_LDT 97 #define SYS_ENTER_IOPERM 95 #define SYS_EXIT_IOPERM 94 #define SYS_ENTER_IOPL 93 #define SYS_EXIT_IOPL 92 #define SYS_ENTER_RT_SIGRETURN 57 /// sys_enter_socket is a struct socket_event (kind=socket) SEC("tracepoint/syscalls/sys_enter_socket") int handle_sys_enter_socket(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SOCKET)) return 0; struct socket_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socket_event), 0); if (!ev) return 0; ev->event_type = ENTER_SOCKET_EVENT; ev->trace_id = SYS_ENTER_SOCKET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->family = (__s32)ctx->args[0]; ev->type = (__s32)ctx->args[1]; ev->protocol = (__s32)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_socket is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_socket") int handle_sys_exit_socket(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SOCKET, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SOCKET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_socketpair is a struct socketpair_event (kind=socketpair) SEC("tracepoint/syscalls/sys_enter_socketpair") int handle_sys_enter_socketpair(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SOCKETPAIR)) return 0; struct socketpair_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socketpair_event), 0); if (!ev) return 0; ev->event_type = ENTER_SOCKETPAIR_EVENT; ev->trace_id = SYS_ENTER_SOCKETPAIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); struct socketpair_ctx pending; pending.usockvec = ctx->args[3]; pending.family = (__s32)ctx->args[0]; pending.type = (__s32)ctx->args[1]; pending.protocol = (__s32)ctx->args[2]; bpf_map_update_elem(&socketpair_ctx_map, &tid, &pending, BPF_ANY); ev->family = pending.family; ev->type = pending.type; ev->protocol = pending.protocol; ev->sv0 = -1; ev->sv1 = -1; ev->ret = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_socketpair is a struct socketpair_event (kind=socketpair) SEC("tracepoint/syscalls/sys_exit_socketpair") int handle_sys_exit_socketpair(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SOCKETPAIR, ctx->ret)) return 0; struct socketpair_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socketpair_event), 0); if (!ev) return 0; ev->event_type = EXIT_SOCKETPAIR_EVENT; ev->trace_id = SYS_EXIT_SOCKETPAIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 family = -1; __s32 type = -1; __s32 protocol = -1; __s32 sv0 = -1; __s32 sv1 = -1; struct socketpair_ctx *pending = bpf_map_lookup_elem(&socketpair_ctx_map, &tid); if (pending) { family = pending->family; type = pending->type; protocol = pending->protocol; if (ctx->ret == 0 && pending->usockvec != 0) { int sv[2]; if (bpf_probe_read_user(&sv, sizeof(sv), (void *)pending->usockvec) == 0) { sv0 = (__s32)sv[0]; sv1 = (__s32)sv[1]; } } bpf_map_delete_elem(&socketpair_ctx_map, &tid); } ev->family = family; ev->type = type; ev->protocol = protocol; ev->sv0 = sv0; ev->sv1 = sv1; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_bind is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_bind") int handle_sys_enter_bind(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_BIND)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_BIND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_bind is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_bind") int handle_sys_exit_bind(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_BIND, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_BIND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_listen is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_listen") int handle_sys_enter_listen(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTEN)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_LISTEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_listen is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_listen") int handle_sys_exit_listen(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LISTEN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LISTEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_accept4 is a struct accept_event (kind=accept) SEC("tracepoint/syscalls/sys_enter_accept4") int handle_sys_enter_accept4(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCEPT4)) return 0; struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; ev->event_type = ENTER_ACCEPT_EVENT; ev->trace_id = SYS_ENTER_ACCEPT4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_accept4 is a struct accept_event (kind=accept) SEC("tracepoint/syscalls/sys_exit_accept4") int handle_sys_exit_accept4(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_ACCEPT4, ctx->ret)) return 0; struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; ev->event_type = EXIT_ACCEPT_EVENT; ev->trace_id = SYS_EXIT_ACCEPT4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = -1; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_accept is a struct accept_event (kind=accept) SEC("tracepoint/syscalls/sys_enter_accept") int handle_sys_enter_accept(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCEPT)) return 0; struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; ev->event_type = ENTER_ACCEPT_EVENT; ev->trace_id = SYS_ENTER_ACCEPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_accept is a struct accept_event (kind=accept) SEC("tracepoint/syscalls/sys_exit_accept") int handle_sys_exit_accept(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_ACCEPT, ctx->ret)) return 0; struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; ev->event_type = EXIT_ACCEPT_EVENT; ev->trace_id = SYS_EXIT_ACCEPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = -1; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_connect is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_connect") int handle_sys_enter_connect(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CONNECT)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_CONNECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_connect is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_connect") int handle_sys_exit_connect(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CONNECT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CONNECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getsockname is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_getsockname") int handle_sys_enter_getsockname(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSOCKNAME)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_GETSOCKNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getsockname is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getsockname") int handle_sys_exit_getsockname(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETSOCKNAME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETSOCKNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getpeername is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_getpeername") int handle_sys_enter_getpeername(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPEERNAME)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_GETPEERNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getpeername is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getpeername") int handle_sys_exit_getpeername(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETPEERNAME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETPEERNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sendto is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_sendto") int handle_sys_enter_sendto(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDTO)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SENDTO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sendto is a struct ret_event (WRITE_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sendto") int handle_sys_exit_sendto(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SENDTO, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SENDTO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_recvfrom is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_recvfrom") int handle_sys_enter_recvfrom(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVFROM)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_RECVFROM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_recvfrom is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_recvfrom") int handle_sys_exit_recvfrom(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RECVFROM, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RECVFROM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setsockopt is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_setsockopt") int handle_sys_enter_setsockopt(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETSOCKOPT)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SETSOCKOPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setsockopt is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setsockopt") int handle_sys_exit_setsockopt(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETSOCKOPT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETSOCKOPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getsockopt is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_getsockopt") int handle_sys_enter_getsockopt(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSOCKOPT)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_GETSOCKOPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getsockopt is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getsockopt") int handle_sys_exit_getsockopt(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETSOCKOPT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETSOCKOPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_shutdown is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_shutdown") int handle_sys_enter_shutdown(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SHUTDOWN)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SHUTDOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_shutdown is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_shutdown") int handle_sys_exit_shutdown(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SHUTDOWN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SHUTDOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sendmsg is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_sendmsg") int handle_sys_enter_sendmsg(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDMSG)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SENDMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sendmsg is a struct ret_event (WRITE_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sendmsg") int handle_sys_exit_sendmsg(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SENDMSG, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SENDMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sendmmsg is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_sendmmsg") int handle_sys_enter_sendmmsg(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDMMSG)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SENDMMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sendmmsg is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sendmmsg") int handle_sys_exit_sendmmsg(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SENDMMSG, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SENDMMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_recvmsg is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_recvmsg") int handle_sys_enter_recvmsg(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVMSG)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_RECVMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_recvmsg is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_recvmsg") int handle_sys_exit_recvmsg(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RECVMSG, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RECVMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_recvmmsg is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_recvmmsg") int handle_sys_enter_recvmmsg(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVMMSG)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_RECVMMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_recvmmsg is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_recvmmsg") int handle_sys_exit_recvmmsg(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RECVMMSG, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RECVMMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getrandom is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getrandom") int handle_sys_enter_getrandom(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRANDOM)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETRANDOM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getrandom is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getrandom") int handle_sys_exit_getrandom(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETRANDOM, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETRANDOM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_uring_register is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_io_uring_register") int handle_sys_enter_io_uring_register(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_REGISTER)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_uring_register is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_uring_register") int handle_sys_exit_io_uring_register(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_URING_REGISTER, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_uring_enter is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_io_uring_enter") int handle_sys_enter_io_uring_enter(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_ENTER)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_uring_enter is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_uring_enter") int handle_sys_exit_io_uring_enter(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_URING_ENTER, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_uring_setup is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_io_uring_setup") int handle_sys_enter_io_uring_setup(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_SETUP)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_URING_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_uring_setup is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_uring_setup") int handle_sys_exit_io_uring_setup(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_URING_SETUP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_URING_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ioprio_set is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_ioprio_set") int handle_sys_enter_ioprio_set(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPRIO_SET)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IOPRIO_SET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ioprio_set is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_ioprio_set") int handle_sys_exit_ioprio_set(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IOPRIO_SET, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IOPRIO_SET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ioprio_get is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_ioprio_get") int handle_sys_enter_ioprio_get(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPRIO_GET)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IOPRIO_GET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ioprio_get is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_ioprio_get") int handle_sys_exit_ioprio_get(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IOPRIO_GET, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IOPRIO_GET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_landlock_create_ruleset is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_landlock_create_ruleset") int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_CREATE_RULESET)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_LANDLOCK_CREATE_RULESET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[2]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_landlock_create_ruleset is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_landlock_create_ruleset") int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LANDLOCK_CREATE_RULESET, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_LANDLOCK_CREATE_RULESET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_landlock_add_rule is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_landlock_add_rule") int handle_sys_enter_landlock_add_rule(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_ADD_RULE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_LANDLOCK_ADD_RULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_landlock_add_rule is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_landlock_add_rule") int handle_sys_exit_landlock_add_rule(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LANDLOCK_ADD_RULE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LANDLOCK_ADD_RULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_landlock_restrict_self is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_landlock_restrict_self") int handle_sys_enter_landlock_restrict_self(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_RESTRICT_SELF)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_LANDLOCK_RESTRICT_SELF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_landlock_restrict_self is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_landlock_restrict_self") int handle_sys_exit_landlock_restrict_self(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LANDLOCK_RESTRICT_SELF, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LANDLOCK_RESTRICT_SELF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lsm_set_self_attr is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_lsm_set_self_attr") int handle_sys_enter_lsm_set_self_attr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_SET_SELF_ATTR)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_LSM_SET_SELF_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lsm_set_self_attr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_lsm_set_self_attr") int handle_sys_exit_lsm_set_self_attr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LSM_SET_SELF_ATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LSM_SET_SELF_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lsm_get_self_attr is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_lsm_get_self_attr") int handle_sys_enter_lsm_get_self_attr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_GET_SELF_ATTR)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_LSM_GET_SELF_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lsm_get_self_attr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_lsm_get_self_attr") int handle_sys_exit_lsm_get_self_attr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LSM_GET_SELF_ATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LSM_GET_SELF_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lsm_list_modules is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_lsm_list_modules") int handle_sys_enter_lsm_list_modules(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_LIST_MODULES)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_LSM_LIST_MODULES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lsm_list_modules is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_lsm_list_modules") int handle_sys_exit_lsm_list_modules(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LSM_LIST_MODULES, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LSM_LIST_MODULES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_add_key is a struct keyctl_event (kind=keyctl) SEC("tracepoint/syscalls/sys_enter_add_key") int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_ADD_KEY)) return 0; struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0); if (!ev) return 0; ev->event_type = ENTER_KEYCTL_EVENT; ev->trace_id = SYS_ENTER_ADD_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->option = -1; ev->key_serial = (__s32)ctx->args[4]; ev->value = (__u64)ctx->args[3]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_add_key is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_add_key") int handle_sys_exit_add_key(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_ADD_KEY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_ADD_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_request_key is a struct keyctl_event (kind=keyctl) SEC("tracepoint/syscalls/sys_enter_request_key") int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_REQUEST_KEY)) return 0; struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0); if (!ev) return 0; ev->event_type = ENTER_KEYCTL_EVENT; ev->trace_id = SYS_ENTER_REQUEST_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->option = -2; ev->key_serial = (__s32)ctx->args[3]; ev->value = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_request_key is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_request_key") int handle_sys_exit_request_key(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_REQUEST_KEY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_REQUEST_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_keyctl is a struct keyctl_event (kind=keyctl) SEC("tracepoint/syscalls/sys_enter_keyctl") int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_KEYCTL)) return 0; struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0); if (!ev) return 0; ev->event_type = ENTER_KEYCTL_EVENT; ev->trace_id = SYS_ENTER_KEYCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->option = (__s32)ctx->args[0]; ev->key_serial = (__s32)ctx->args[1]; ev->value = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_keyctl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_keyctl") int handle_sys_exit_keyctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_KEYCTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_KEYCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mq_open is a struct open_event (kind=mq-open) SEC("tracepoint/syscalls/sys_enter_mq_open") int handle_sys_enter_mq_open(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_OPEN)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_MQ_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[1]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mq_open is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mq_open") int handle_sys_exit_mq_open(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MQ_OPEN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MQ_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mq_unlink is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_mq_unlink") int handle_sys_enter_mq_unlink(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_UNLINK)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MQ_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mq_unlink is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mq_unlink") int handle_sys_exit_mq_unlink(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MQ_UNLINK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MQ_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mq_timedsend is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_mq_timedsend") int handle_sys_enter_mq_timedsend(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_TIMEDSEND)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_MQ_TIMEDSEND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mq_timedsend is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mq_timedsend") int handle_sys_exit_mq_timedsend(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MQ_TIMEDSEND, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MQ_TIMEDSEND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mq_timedreceive is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_mq_timedreceive") int handle_sys_enter_mq_timedreceive(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_TIMEDRECEIVE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_MQ_TIMEDRECEIVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mq_timedreceive is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mq_timedreceive") int handle_sys_exit_mq_timedreceive(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MQ_TIMEDRECEIVE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MQ_TIMEDRECEIVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mq_notify is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_mq_notify") int handle_sys_enter_mq_notify(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_NOTIFY)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_MQ_NOTIFY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mq_notify is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mq_notify") int handle_sys_exit_mq_notify(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MQ_NOTIFY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MQ_NOTIFY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mq_getsetattr is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_mq_getsetattr") int handle_sys_enter_mq_getsetattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_GETSETATTR)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_MQ_GETSETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mq_getsetattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mq_getsetattr") int handle_sys_exit_mq_getsetattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MQ_GETSETATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MQ_GETSETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_shmget is a struct null_event (kind=sysv-id) SEC("tracepoint/syscalls/sys_enter_shmget") int handle_sys_enter_shmget(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMGET)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SHMGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_shmget is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_shmget") int handle_sys_exit_shmget(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SHMGET, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SHMGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_shmctl is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_shmctl") int handle_sys_enter_shmctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMCTL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SHMCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_shmctl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_shmctl") int handle_sys_exit_shmctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SHMCTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SHMCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_shmat is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_shmat") int handle_sys_enter_shmat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMAT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SHMAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_shmat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_shmat") int handle_sys_exit_shmat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SHMAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SHMAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_shmdt is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_shmdt") int handle_sys_enter_shmdt(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMDT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SHMDT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_shmdt is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_shmdt") int handle_sys_exit_shmdt(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SHMDT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SHMDT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_semget is a struct null_event (kind=sysv-id) SEC("tracepoint/syscalls/sys_enter_semget") int handle_sys_enter_semget(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMGET)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SEMGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_semget is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_semget") int handle_sys_exit_semget(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SEMGET, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SEMGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_semctl is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_semctl") int handle_sys_enter_semctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMCTL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SEMCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_semctl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_semctl") int handle_sys_exit_semctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SEMCTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SEMCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_semtimedop is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_semtimedop") int handle_sys_enter_semtimedop(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMTIMEDOP)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SEMTIMEDOP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_semtimedop is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_semtimedop") int handle_sys_exit_semtimedop(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SEMTIMEDOP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SEMTIMEDOP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_semop is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_semop") int handle_sys_enter_semop(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMOP)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SEMOP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_semop is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_semop") int handle_sys_exit_semop(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SEMOP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SEMOP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_msgget is a struct null_event (kind=sysv-id) SEC("tracepoint/syscalls/sys_enter_msgget") int handle_sys_enter_msgget(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGGET)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MSGGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_msgget is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_msgget") int handle_sys_exit_msgget(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MSGGET, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MSGGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_msgctl is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_msgctl") int handle_sys_enter_msgctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGCTL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MSGCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_msgctl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_msgctl") int handle_sys_exit_msgctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MSGCTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MSGCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_msgsnd is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_msgsnd") int handle_sys_enter_msgsnd(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGSND)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MSGSND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_msgsnd is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_msgsnd") int handle_sys_exit_msgsnd(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MSGSND, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MSGSND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_msgrcv is a struct null_event (kind=sysv-op) SEC("tracepoint/syscalls/sys_enter_msgrcv") int handle_sys_enter_msgrcv(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGRCV)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MSGRCV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_msgrcv is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_msgrcv") int handle_sys_exit_msgrcv(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MSGRCV, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MSGRCV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_quotactl is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_quotactl") int handle_sys_enter_quotactl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_QUOTACTL)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_QUOTACTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_quotactl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_quotactl") int handle_sys_exit_quotactl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_QUOTACTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_QUOTACTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_quotactl_fd is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_quotactl_fd") int handle_sys_enter_quotactl_fd(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_QUOTACTL_FD)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_quotactl_fd is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_quotactl_fd") int handle_sys_exit_quotactl_fd(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_QUOTACTL_FD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_name_to_handle_at is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_name_to_handle_at") int handle_sys_enter_name_to_handle_at(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_NAME_TO_HANDLE_AT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NAME_TO_HANDLE_AT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_name_to_handle_at is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_name_to_handle_at") int handle_sys_exit_name_to_handle_at(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_NAME_TO_HANDLE_AT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NAME_TO_HANDLE_AT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_open_by_handle_at is a struct open_by_handle_at_event (kind=open-by-handle-at) SEC("tracepoint/syscalls/sys_enter_open_by_handle_at") int handle_sys_enter_open_by_handle_at(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_BY_HANDLE_AT)) return 0; struct open_by_handle_at_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_by_handle_at_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_BY_HANDLE_AT_EVENT; ev->trace_id = SYS_ENTER_OPEN_BY_HANDLE_AT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->flags = (__s32)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_open_by_handle_at is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_open_by_handle_at") int handle_sys_exit_open_by_handle_at(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_OPEN_BY_HANDLE_AT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPEN_BY_HANDLE_AT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_flock is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_flock") int handle_sys_enter_flock(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FLOCK)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_flock is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_flock") int handle_sys_exit_flock(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FLOCK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_setup is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_io_setup") int handle_sys_enter_io_setup(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_SETUP)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_setup is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_setup") int handle_sys_exit_io_setup(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_SETUP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_destroy is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_io_destroy") int handle_sys_enter_io_destroy(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_DESTROY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_DESTROY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_destroy is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_destroy") int handle_sys_exit_io_destroy(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_DESTROY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_DESTROY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_submit is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_io_submit") int handle_sys_enter_io_submit(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_SUBMIT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_SUBMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_submit is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_submit") int handle_sys_exit_io_submit(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_SUBMIT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_SUBMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_cancel is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_io_cancel") int handle_sys_enter_io_cancel(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_CANCEL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_CANCEL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_cancel is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_cancel") int handle_sys_exit_io_cancel(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_CANCEL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_CANCEL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_getevents is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_io_getevents") int handle_sys_enter_io_getevents(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_GETEVENTS)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_GETEVENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_getevents is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_getevents") int handle_sys_exit_io_getevents(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_GETEVENTS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_GETEVENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_pgetevents is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_io_pgetevents") int handle_sys_enter_io_pgetevents(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_PGETEVENTS)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_PGETEVENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_pgetevents is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_io_pgetevents") int handle_sys_exit_io_pgetevents(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IO_PGETEVENTS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_PGETEVENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_userfaultfd is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_userfaultfd") int handle_sys_enter_userfaultfd(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_USERFAULTFD)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_USERFAULTFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[0]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_userfaultfd is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_userfaultfd") int handle_sys_exit_userfaultfd(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_USERFAULTFD, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_USERFAULTFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_eventfd2 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_eventfd2") int handle_sys_enter_eventfd2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EVENTFD2)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_EVENTFD2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[1]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_eventfd2 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_eventfd2") int handle_sys_exit_eventfd2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EVENTFD2, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_EVENTFD2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_eventfd is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_eventfd") int handle_sys_enter_eventfd(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EVENTFD)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_EVENTFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_eventfd is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_eventfd") int handle_sys_exit_eventfd(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EVENTFD, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_EVENTFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_timerfd_create is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_timerfd_create") int handle_sys_enter_timerfd_create(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_CREATE)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_TIMERFD_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[1]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_timerfd_create is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_timerfd_create") int handle_sys_exit_timerfd_create(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMERFD_CREATE, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_TIMERFD_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_timerfd_settime is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_timerfd_settime") int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_SETTIME)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TIMERFD_SETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_timerfd_settime is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_timerfd_settime") int handle_sys_exit_timerfd_settime(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMERFD_SETTIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIMERFD_SETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_timerfd_gettime is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_timerfd_gettime") int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_GETTIME)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TIMERFD_GETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_timerfd_gettime is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_timerfd_gettime") int handle_sys_exit_timerfd_gettime(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMERFD_GETTIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIMERFD_GETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_signalfd4 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_signalfd4") int handle_sys_enter_signalfd4(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGNALFD4)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_SIGNALFD4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[3]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_signalfd4 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_signalfd4") int handle_sys_exit_signalfd4(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SIGNALFD4, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_SIGNALFD4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_signalfd is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_signalfd") int handle_sys_enter_signalfd(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGNALFD)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_SIGNALFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_signalfd is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_signalfd") int handle_sys_exit_signalfd(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SIGNALFD, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_SIGNALFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_epoll_create1 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_epoll_create1") int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE1)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_EPOLL_CREATE1; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[0]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_epoll_create1 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_epoll_create1") int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EPOLL_CREATE1, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_EPOLL_CREATE1; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_epoll_create is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_epoll_create") int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_EPOLL_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_epoll_create is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_epoll_create") int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EPOLL_CREATE, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_EPOLL_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_epoll_ctl is a struct epoll_ctl_event (kind=epoll-ctl) SEC("tracepoint/syscalls/sys_enter_epoll_ctl") int handle_sys_enter_epoll_ctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CTL)) return 0; struct epoll_ctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct epoll_ctl_event), 0); if (!ev) return 0; ev->event_type = ENTER_EPOLL_CTL_EVENT; ev->trace_id = SYS_ENTER_EPOLL_CTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->epfd = (__s32)ctx->args[0]; ev->op = (__s32)ctx->args[1]; ev->fd = (__s32)ctx->args[2]; ev->events = 0; if (ctx->args[3] != 0) { __u32 user_events = 0; if (bpf_probe_read_user(&user_events, sizeof(user_events), (void *)ctx->args[3]) == 0) { ev->events = user_events; } } bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_epoll_ctl") int handle_sys_exit_epoll_ctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EPOLL_CTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_EPOLL_CTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_epoll_wait is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_epoll_wait") int handle_sys_enter_epoll_wait(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_WAIT)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_EPOLL_WAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_epoll_wait is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_epoll_wait") int handle_sys_exit_epoll_wait(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EPOLL_WAIT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_EPOLL_WAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_epoll_pwait is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_epoll_pwait") int handle_sys_enter_epoll_pwait(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_PWAIT)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_EPOLL_PWAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_epoll_pwait") int handle_sys_exit_epoll_pwait(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EPOLL_PWAIT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_EPOLL_PWAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_epoll_pwait2 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_epoll_pwait2") int handle_sys_enter_epoll_pwait2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_PWAIT2)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_EPOLL_PWAIT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_epoll_pwait2") int handle_sys_exit_epoll_pwait2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EPOLL_PWAIT2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_EPOLL_PWAIT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fanotify_init is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_fanotify_init") int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FANOTIFY_INIT)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_FANOTIFY_INIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[0]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fanotify_init is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_fanotify_init") int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FANOTIFY_INIT, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_FANOTIFY_INIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fanotify_mark is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_fanotify_mark") int handle_sys_enter_fanotify_mark(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FANOTIFY_MARK)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FANOTIFY_MARK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fanotify_mark is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fanotify_mark") int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FANOTIFY_MARK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FANOTIFY_MARK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_inotify_init1 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_inotify_init1") int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT1)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_INOTIFY_INIT1; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[0]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_inotify_init1 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_inotify_init1") int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_INOTIFY_INIT1, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_INOTIFY_INIT1; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_inotify_init is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_inotify_init") int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_INOTIFY_INIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_inotify_init is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_inotify_init") int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_INOTIFY_INIT, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_INOTIFY_INIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_inotify_add_watch is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") int handle_sys_enter_inotify_add_watch(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_ADD_WATCH)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") int handle_sys_exit_inotify_add_watch(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_INOTIFY_ADD_WATCH, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_inotify_rm_watch is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch") int handle_sys_enter_inotify_rm_watch(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_RM_WATCH)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_inotify_rm_watch is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch") int handle_sys_exit_inotify_rm_watch(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_INOTIFY_RM_WATCH, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_file_getattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_file_getattr") int handle_sys_enter_file_getattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FILE_GETATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FILE_GETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_file_getattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_file_getattr") int handle_sys_exit_file_getattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FILE_GETATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FILE_GETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_file_setattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_file_setattr") int handle_sys_enter_file_setattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FILE_SETATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FILE_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_file_setattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_file_setattr") int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FILE_SETATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FILE_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fsopen is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_fsopen") int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FSOPEN)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_FSOPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[1]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fsopen is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_fsopen") int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FSOPEN, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_FSOPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fspick is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_fspick") int handle_sys_enter_fspick(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FSPICK)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FSPICK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fspick is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fspick") int handle_sys_exit_fspick(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FSPICK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSPICK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fsconfig is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fsconfig") int handle_sys_enter_fsconfig(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FSCONFIG)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FSCONFIG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fsconfig is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fsconfig") int handle_sys_exit_fsconfig(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FSCONFIG, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSCONFIG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_statfs is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_statfs") int handle_sys_enter_statfs(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_STATFS)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_statfs is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_statfs") int handle_sys_exit_statfs(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_STATFS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fstatfs is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fstatfs") int handle_sys_enter_fstatfs(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FSTATFS)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fstatfs is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fstatfs") int handle_sys_exit_fstatfs(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FSTATFS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ustat is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_ustat") int handle_sys_enter_ustat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_USTAT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_USTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ustat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_ustat") int handle_sys_exit_ustat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_USTAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_USTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getcwd is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getcwd") int handle_sys_enter_getcwd(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETCWD)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETCWD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getcwd is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getcwd") int handle_sys_exit_getcwd(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETCWD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETCWD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_utimensat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_utimensat") int handle_sys_enter_utimensat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIMENSAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_utimensat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_utimensat") int handle_sys_exit_utimensat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UTIMENSAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_futimesat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_futimesat") int handle_sys_enter_futimesat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTIMESAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FUTIMESAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_futimesat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_futimesat") int handle_sys_exit_futimesat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FUTIMESAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FUTIMESAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_utimes is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_utimes") int handle_sys_enter_utimes(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIMES)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UTIMES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_utimes is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_utimes") int handle_sys_exit_utimes(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UTIMES, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UTIMES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_utime is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_utime") int handle_sys_enter_utime(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIME)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_utime is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_utime") int handle_sys_exit_utime(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UTIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sync is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sync") int handle_sys_enter_sync(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNC)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sync is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sync") int handle_sys_exit_sync(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SYNC, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_syncfs is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_syncfs") int handle_sys_enter_syncfs(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNCFS)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SYNCFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_syncfs is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_syncfs") int handle_sys_exit_syncfs(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SYNCFS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYNCFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fsync is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fsync") int handle_sys_enter_fsync(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FSYNC)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fsync is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fsync") int handle_sys_exit_fsync(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FSYNC, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fdatasync is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fdatasync") int handle_sys_enter_fdatasync(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FDATASYNC)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fdatasync is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fdatasync") int handle_sys_exit_fdatasync(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FDATASYNC, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sync_file_range is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_sync_file_range") int handle_sys_enter_sync_file_range(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNC_FILE_RANGE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sync_file_range is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sync_file_range") int handle_sys_exit_sync_file_range(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SYNC_FILE_RANGE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_vmsplice is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_vmsplice") int handle_sys_enter_vmsplice(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_VMSPLICE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_VMSPLICE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_vmsplice is a struct ret_event (TRANSFER_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_vmsplice") int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_VMSPLICE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_VMSPLICE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = TRANSFER_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_splice is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_splice") int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SPLICE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SPLICE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_splice is a struct ret_event (TRANSFER_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_splice") int handle_sys_exit_splice(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SPLICE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SPLICE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = TRANSFER_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_tee is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_tee") int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TEE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TEE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_tee is a struct ret_event (TRANSFER_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_tee") int handle_sys_exit_tee(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TEE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TEE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = TRANSFER_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setxattrat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_setxattrat") int handle_sys_enter_setxattrat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETXATTRAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_SETXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setxattrat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setxattrat") int handle_sys_exit_setxattrat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETXATTRAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setxattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_setxattr") int handle_sys_enter_setxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETXATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setxattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setxattr") int handle_sys_exit_setxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lsetxattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_lsetxattr") int handle_sys_enter_lsetxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LSETXATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lsetxattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_lsetxattr") int handle_sys_exit_lsetxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LSETXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fsetxattr is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fsetxattr") int handle_sys_enter_fsetxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FSETXATTR)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fsetxattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fsetxattr") int handle_sys_exit_fsetxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FSETXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getxattrat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_getxattrat") int handle_sys_enter_getxattrat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETXATTRAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_GETXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getxattrat is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getxattrat") int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETXATTRAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getxattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_getxattr") int handle_sys_enter_getxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETXATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_GETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getxattr") int handle_sys_exit_getxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lgetxattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_lgetxattr") int handle_sys_enter_lgetxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LGETXATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LGETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lgetxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_lgetxattr") int handle_sys_exit_lgetxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LGETXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LGETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fgetxattr is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fgetxattr") int handle_sys_enter_fgetxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FGETXATTR)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FGETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fgetxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fgetxattr") int handle_sys_exit_fgetxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FGETXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FGETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_listxattrat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_listxattrat") int handle_sys_enter_listxattrat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTXATTRAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LISTXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_listxattrat is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_listxattrat") int handle_sys_exit_listxattrat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LISTXATTRAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LISTXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_listxattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_listxattr") int handle_sys_enter_listxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTXATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_listxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_listxattr") int handle_sys_exit_listxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LISTXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_llistxattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_llistxattr") int handle_sys_enter_llistxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LLISTXATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LLISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_llistxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_llistxattr") int handle_sys_exit_llistxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LLISTXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LLISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_flistxattr is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_flistxattr") int handle_sys_enter_flistxattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FLISTXATTR)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FLISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_flistxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_flistxattr") int handle_sys_exit_flistxattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FLISTXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FLISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_removexattrat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_removexattrat") int handle_sys_enter_removexattrat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_REMOVEXATTRAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_REMOVEXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_removexattrat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_removexattrat") int handle_sys_exit_removexattrat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_REMOVEXATTRAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_REMOVEXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_removexattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_removexattr") int handle_sys_enter_removexattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_REMOVEXATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_REMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_removexattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_removexattr") int handle_sys_exit_removexattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_REMOVEXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_REMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lremovexattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_lremovexattr") int handle_sys_enter_lremovexattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LREMOVEXATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lremovexattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_lremovexattr") int handle_sys_exit_lremovexattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LREMOVEXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fremovexattr is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fremovexattr") int handle_sys_enter_fremovexattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FREMOVEXATTR)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fremovexattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fremovexattr") int handle_sys_exit_fremovexattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FREMOVEXATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_umount is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_umount") int handle_sys_enter_umount(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UMOUNT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UMOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_umount is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_umount") int handle_sys_exit_umount(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UMOUNT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UMOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_open_tree is a struct open_event (kind=open) SEC("tracepoint/syscalls/sys_enter_open_tree") int handle_sys_enter_open_tree(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_TREE)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPEN_TREE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_open_tree is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_open_tree") int handle_sys_exit_open_tree(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_OPEN_TREE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPEN_TREE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mount is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_mount") int handle_sys_enter_mount(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MOUNT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mount is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mount") int handle_sys_exit_mount(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MOUNT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fsmount is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_fsmount") int handle_sys_enter_fsmount(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FSMOUNT)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_FSMOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[1]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fsmount is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_fsmount") int handle_sys_exit_fsmount(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FSMOUNT, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_FSMOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_move_mount is a struct two_fd_event (kind=two-fd) SEC("tracepoint/syscalls/sys_enter_move_mount") int handle_sys_enter_move_mount(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MOVE_MOUNT)) return 0; struct two_fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct two_fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_TWO_FD_EVENT; ev->trace_id = SYS_ENTER_MOVE_MOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd_a = (__s32)ctx->args[0]; ev->fd_b = (__s32)ctx->args[2]; ev->extra = (__u64)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_move_mount is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_move_mount") int handle_sys_exit_move_mount(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MOVE_MOUNT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MOVE_MOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pivot_root is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_pivot_root") int handle_sys_enter_pivot_root(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PIVOT_ROOT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_PIVOT_ROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pivot_root is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pivot_root") int handle_sys_exit_pivot_root(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PIVOT_ROOT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PIVOT_ROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mount_setattr is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_mount_setattr") int handle_sys_enter_mount_setattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MOUNT_SETATTR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MOUNT_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mount_setattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mount_setattr") int handle_sys_exit_mount_setattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MOUNT_SETATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MOUNT_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_open_tree_attr is a struct open_event (kind=open) SEC("tracepoint/syscalls/sys_enter_open_tree_attr") int handle_sys_enter_open_tree_attr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_TREE_ATTR)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPEN_TREE_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_open_tree_attr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_open_tree_attr") int handle_sys_exit_open_tree_attr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_OPEN_TREE_ATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPEN_TREE_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_statmount is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_statmount") int handle_sys_enter_statmount(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_STATMOUNT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_STATMOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_statmount is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_statmount") int handle_sys_exit_statmount(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_STATMOUNT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_STATMOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_listmount is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_listmount") int handle_sys_enter_listmount(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTMOUNT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_LISTMOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_listmount is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_listmount") int handle_sys_exit_listmount(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LISTMOUNT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LISTMOUNT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sysfs is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sysfs") int handle_sys_enter_sysfs(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSFS)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SYSFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sysfs is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sysfs") int handle_sys_exit_sysfs(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SYSFS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYSFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_close_range is a struct two_fd_event (kind=two-fd) SEC("tracepoint/syscalls/sys_enter_close_range") int handle_sys_enter_close_range(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOSE_RANGE)) return 0; struct two_fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct two_fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_TWO_FD_EVENT; ev->trace_id = SYS_ENTER_CLOSE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd_a = (__s32)ctx->args[0]; ev->fd_b = (__s32)ctx->args[1]; ev->extra = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_close_range is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_close_range") int handle_sys_exit_close_range(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLOSE_RANGE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOSE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_dup3 is a struct dup3_event (kind=dup3) SEC("tracepoint/syscalls/sys_enter_dup3") int handle_sys_enter_dup3(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP3)) return 0; struct dup3_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct dup3_event), 0); if (!ev) return 0; ev->event_type = ENTER_DUP3_EVENT; ev->trace_id = SYS_ENTER_DUP3; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; ev->flags = (__s32)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_dup3") int handle_sys_exit_dup3(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_DUP3, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_DUP3; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_dup2 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_dup2") int handle_sys_enter_dup2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP2)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_DUP2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_dup2") int handle_sys_exit_dup2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_DUP2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_DUP2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_dup is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_dup") int handle_sys_enter_dup(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_DUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_dup is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_dup") int handle_sys_exit_dup(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_DUP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_DUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_select is a struct poll_event (kind=poll) SEC("tracepoint/syscalls/sys_enter_select") int handle_sys_enter_select(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SELECT)) return 0; struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; ev->event_type = ENTER_POLL_EVENT; ev->trace_id = SYS_ENTER_SELECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->nfds = (__s32)ctx->args[0]; ev->timeout_ns = -1; if (ctx->args[4] != 0) { struct __ior_timeval { __s64 tv_sec; __s64 tv_usec; } tv = {}; if (bpf_probe_read_user(&tv, sizeof(tv), (void *)ctx->args[4]) == 0) { ev->timeout_ns = tv.tv_sec * 1000000000LL + tv.tv_usec * 1000LL; } } bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_select is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_select") int handle_sys_exit_select(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SELECT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SELECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pselect6 is a struct poll_event (kind=poll) SEC("tracepoint/syscalls/sys_enter_pselect6") int handle_sys_enter_pselect6(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PSELECT6)) return 0; struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; ev->event_type = ENTER_POLL_EVENT; ev->trace_id = SYS_ENTER_PSELECT6; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->nfds = (__s32)ctx->args[0]; ev->timeout_ns = -1; if (ctx->args[4] != 0) { struct __ior_timespec { __s64 tv_sec; __s64 tv_nsec; } ts = {}; if (bpf_probe_read_user(&ts, sizeof(ts), (void *)ctx->args[4]) == 0) { ev->timeout_ns = ts.tv_sec * 1000000000LL + ts.tv_nsec; } } bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pselect6 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pselect6") int handle_sys_exit_pselect6(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PSELECT6, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PSELECT6; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_poll is a struct poll_event (kind=poll) SEC("tracepoint/syscalls/sys_enter_poll") int handle_sys_enter_poll(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_POLL)) return 0; struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; ev->event_type = ENTER_POLL_EVENT; ev->trace_id = SYS_ENTER_POLL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->nfds = (__s32)ctx->args[1]; ev->timeout_ns = -1; __s32 timeout_ms = (__s32)ctx->args[2]; if (timeout_ms >= 0) { ev->timeout_ns = ((__s64)timeout_ms) * 1000000LL; } bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_poll is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_poll") int handle_sys_exit_poll(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_POLL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_POLL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ppoll is a struct poll_event (kind=poll) SEC("tracepoint/syscalls/sys_enter_ppoll") int handle_sys_enter_ppoll(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PPOLL)) return 0; struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; ev->event_type = ENTER_POLL_EVENT; ev->trace_id = SYS_ENTER_PPOLL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->nfds = (__s32)ctx->args[1]; ev->timeout_ns = -1; if (ctx->args[2] != 0) { struct __ior_timespec { __s64 tv_sec; __s64 tv_nsec; } ts = {}; if (bpf_probe_read_user(&ts, sizeof(ts), (void *)ctx->args[2]) == 0) { ev->timeout_ns = ts.tv_sec * 1000000000LL + ts.tv_nsec; } } bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ppoll is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_ppoll") int handle_sys_exit_ppoll(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PPOLL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PPOLL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getdents is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_getdents") int handle_sys_enter_getdents(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETDENTS)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getdents is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getdents") int handle_sys_exit_getdents(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETDENTS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getdents64 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_getdents64") int handle_sys_enter_getdents64(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETDENTS64)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getdents64 is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getdents64") int handle_sys_exit_getdents64(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETDENTS64, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ioctl is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_ioctl") int handle_sys_enter_ioctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IOCTL)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ioctl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_ioctl") int handle_sys_exit_ioctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IOCTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fcntl is a struct fcntl_event (kind=fcntl) SEC("tracepoint/syscalls/sys_enter_fcntl") int handle_sys_enter_fcntl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FCNTL)) return 0; struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); if (!ev) return 0; ev->event_type = ENTER_FCNTL_EVENT; ev->trace_id = SYS_ENTER_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = ctx->args[0]; ev->cmd = ctx->args[1]; ev->arg = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fcntl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fcntl") int handle_sys_exit_fcntl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FCNTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mknodat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_mknodat") int handle_sys_enter_mknodat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MKNODAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MKNODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mknodat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mknodat") int handle_sys_exit_mknodat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MKNODAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MKNODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mknod is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_mknod") int handle_sys_enter_mknod(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MKNOD)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MKNOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mknod is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mknod") int handle_sys_exit_mknod(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MKNOD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MKNOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mkdirat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_mkdirat") int handle_sys_enter_mkdirat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MKDIRAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mkdirat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mkdirat") int handle_sys_exit_mkdirat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MKDIRAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mkdir is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_mkdir") int handle_sys_enter_mkdir(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MKDIR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mkdir is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mkdir") int handle_sys_exit_mkdir(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MKDIR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rmdir is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_rmdir") int handle_sys_enter_rmdir(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RMDIR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_RMDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rmdir is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rmdir") int handle_sys_exit_rmdir(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RMDIR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RMDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_unlinkat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_unlinkat") int handle_sys_enter_unlinkat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UNLINKAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UNLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_unlinkat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_unlinkat") int handle_sys_exit_unlinkat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UNLINKAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UNLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_unlink is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_unlink") int handle_sys_enter_unlink(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UNLINK)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_unlink is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_unlink") int handle_sys_exit_unlink(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UNLINK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_symlinkat is a struct name_event (kind=name) SEC("tracepoint/syscalls/sys_enter_symlinkat") int handle_sys_enter_symlinkat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SYMLINKAT)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_symlinkat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_symlinkat") int handle_sys_exit_symlinkat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SYMLINKAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_symlink is a struct name_event (kind=name) SEC("tracepoint/syscalls/sys_enter_symlink") int handle_sys_enter_symlink(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SYMLINK)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_symlink is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_symlink") int handle_sys_exit_symlink(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SYMLINK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_linkat is a struct name_event (kind=name) SEC("tracepoint/syscalls/sys_enter_linkat") int handle_sys_enter_linkat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LINKAT)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_linkat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_linkat") int handle_sys_exit_linkat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LINKAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_link is a struct name_event (kind=name) SEC("tracepoint/syscalls/sys_enter_link") int handle_sys_enter_link(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LINK)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_LINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_link is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_link") int handle_sys_exit_link(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LINK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_renameat2 is a struct name_event (kind=name) SEC("tracepoint/syscalls/sys_enter_renameat2") int handle_sys_enter_renameat2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAMEAT2)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_renameat2 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_renameat2") int handle_sys_exit_renameat2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RENAMEAT2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_renameat is a struct name_event (kind=name) SEC("tracepoint/syscalls/sys_enter_renameat") int handle_sys_enter_renameat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAMEAT)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_renameat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_renameat") int handle_sys_exit_renameat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RENAMEAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rename is a struct name_event (kind=name) SEC("tracepoint/syscalls/sys_enter_rename") int handle_sys_enter_rename(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAME)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rename is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rename") int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RENAME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pipe2 is a struct pipe_event (kind=pipe) SEC("tracepoint/syscalls/sys_enter_pipe2") int handle_sys_enter_pipe2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PIPE2)) return 0; struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; ev->event_type = ENTER_PIPE_EVENT; ev->trace_id = SYS_ENTER_PIPE2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); struct pipe_ctx pending; pending.upipefd = ctx->args[0]; pending.flags = (__s32)ctx->args[1]; bpf_map_update_elem(&pipe_ctx_map, &tid, &pending, BPF_ANY); ev->flags = pending.flags; ev->fd0 = -1; ev->fd1 = -1; ev->ret = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pipe2 is a struct pipe_event (kind=pipe) SEC("tracepoint/syscalls/sys_exit_pipe2") int handle_sys_exit_pipe2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PIPE2, ctx->ret)) return 0; struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; ev->event_type = EXIT_PIPE_EVENT; ev->trace_id = SYS_EXIT_PIPE2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 fd0 = -1; __s32 fd1 = -1; struct pipe_ctx *pending = bpf_map_lookup_elem(&pipe_ctx_map, &tid); if (pending) { flags = pending->flags; if (ctx->ret == 0 && pending->upipefd != 0) { int pipefd[2]; if (bpf_probe_read_user(&pipefd, sizeof(pipefd), (void *)pending->upipefd) == 0) { fd0 = (__s32)pipefd[0]; fd1 = (__s32)pipefd[1]; } } bpf_map_delete_elem(&pipe_ctx_map, &tid); } ev->flags = flags; ev->fd0 = fd0; ev->fd1 = fd1; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pipe is a struct pipe_event (kind=pipe) SEC("tracepoint/syscalls/sys_enter_pipe") int handle_sys_enter_pipe(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PIPE)) return 0; struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; ev->event_type = ENTER_PIPE_EVENT; ev->trace_id = SYS_ENTER_PIPE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); struct pipe_ctx pending; pending.upipefd = ctx->args[0]; pending.flags = 0; bpf_map_update_elem(&pipe_ctx_map, &tid, &pending, BPF_ANY); ev->flags = pending.flags; ev->fd0 = -1; ev->fd1 = -1; ev->ret = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pipe is a struct pipe_event (kind=pipe) SEC("tracepoint/syscalls/sys_exit_pipe") int handle_sys_exit_pipe(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PIPE, ctx->ret)) return 0; struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; ev->event_type = EXIT_PIPE_EVENT; ev->trace_id = SYS_EXIT_PIPE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 fd0 = -1; __s32 fd1 = -1; struct pipe_ctx *pending = bpf_map_lookup_elem(&pipe_ctx_map, &tid); if (pending) { flags = pending->flags; if (ctx->ret == 0 && pending->upipefd != 0) { int pipefd[2]; if (bpf_probe_read_user(&pipefd, sizeof(pipefd), (void *)pending->upipefd) == 0) { fd0 = (__s32)pipefd[0]; fd1 = (__s32)pipefd[1]; } } bpf_map_delete_elem(&pipe_ctx_map, &tid); } ev->flags = flags; ev->fd0 = fd0; ev->fd1 = fd1; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_execve is a struct exec_event (kind=exec) SEC("tracepoint/syscalls/sys_enter_execve") int handle_sys_enter_execve(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EXECVE)) return 0; struct exec_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct exec_event), 0); if (!ev) return 0; ev->event_type = ENTER_EXEC_EVENT; ev->trace_id = SYS_ENTER_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->dirfd = -1; ev->flags = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_execve is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_execve") int handle_sys_exit_execve(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EXECVE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_execveat is a struct exec_event (kind=exec) SEC("tracepoint/syscalls/sys_enter_execveat") int handle_sys_enter_execveat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_EXECVEAT)) return 0; struct exec_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct exec_event), 0); if (!ev) return 0; ev->event_type = ENTER_EXEC_EVENT; ev->trace_id = SYS_ENTER_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->dirfd = (__s32)ctx->args[0]; ev->flags = (__s32)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_execveat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_execveat") int handle_sys_exit_execveat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_EXECVEAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newstat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_newstat") int handle_sys_enter_newstat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWSTAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newstat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_newstat") int handle_sys_exit_newstat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_NEWSTAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newlstat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_newlstat") int handle_sys_enter_newlstat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWLSTAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newlstat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_newlstat") int handle_sys_exit_newlstat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_NEWLSTAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newfstatat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_newfstatat") int handle_sys_enter_newfstatat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWFSTATAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWFSTATAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newfstatat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_newfstatat") int handle_sys_exit_newfstatat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_NEWFSTATAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWFSTATAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newfstat is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_newfstat") int handle_sys_enter_newfstat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWFSTAT)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_NEWFSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newfstat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_newfstat") int handle_sys_exit_newfstat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_NEWFSTAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWFSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_readlinkat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_readlinkat") int handle_sys_enter_readlinkat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_READLINKAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_readlinkat is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_readlinkat") int handle_sys_exit_readlinkat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_READLINKAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_readlink is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_readlink") int handle_sys_enter_readlink(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_READLINK)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_READLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_readlink is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_readlink") int handle_sys_exit_readlink(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_READLINK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_statx is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_statx") int handle_sys_enter_statx(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_STATX)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_statx is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_statx") int handle_sys_exit_statx(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_STATX, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lseek is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_lseek") int handle_sys_enter_lseek(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LSEEK)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lseek is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_lseek") int handle_sys_exit_lseek(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LSEEK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_read is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_read") int handle_sys_enter_read(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_READ)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_read is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_read") int handle_sys_exit_read(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_READ, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_write is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_write") int handle_sys_enter_write(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_WRITE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_write is a struct ret_event (WRITE_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_write") int handle_sys_exit_write(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_WRITE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pread64 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_pread64") int handle_sys_enter_pread64(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PREAD64)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pread64 is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pread64") int handle_sys_exit_pread64(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PREAD64, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pwrite64 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_pwrite64") int handle_sys_enter_pwrite64(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITE64)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pwrite64 is a struct ret_event (WRITE_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pwrite64") int handle_sys_exit_pwrite64(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PWRITE64, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_readv is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_readv") int handle_sys_enter_readv(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_READV)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_READV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_readv is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_readv") int handle_sys_exit_readv(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_READV, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_writev is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_writev") int handle_sys_enter_writev(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_WRITEV)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_WRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_writev is a struct ret_event (WRITE_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_writev") int handle_sys_exit_writev(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_WRITEV, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_WRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_preadv is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_preadv") int handle_sys_enter_preadv(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PREADV)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PREADV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_preadv is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_preadv") int handle_sys_exit_preadv(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PREADV, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PREADV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_preadv2 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_preadv2") int handle_sys_enter_preadv2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PREADV2)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PREADV2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_preadv2 is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_preadv2") int handle_sys_exit_preadv2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PREADV2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PREADV2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pwritev is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_pwritev") int handle_sys_enter_pwritev(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITEV)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PWRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pwritev is a struct ret_event (WRITE_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pwritev") int handle_sys_exit_pwritev(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PWRITEV, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PWRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pwritev2 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_pwritev2") int handle_sys_enter_pwritev2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITEV2)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PWRITEV2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pwritev2 is a struct ret_event (WRITE_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pwritev2") int handle_sys_exit_pwritev2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PWRITEV2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PWRITEV2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sendfile64 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_sendfile64") int handle_sys_enter_sendfile64(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDFILE64)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SENDFILE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sendfile64 is a struct ret_event (TRANSFER_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sendfile64") int handle_sys_exit_sendfile64(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SENDFILE64, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SENDFILE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = TRANSFER_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_copy_file_range is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_copy_file_range") int handle_sys_enter_copy_file_range(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_COPY_FILE_RANGE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_COPY_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_copy_file_range is a struct ret_event (TRANSFER_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_copy_file_range") int handle_sys_exit_copy_file_range(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_COPY_FILE_RANGE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_COPY_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = TRANSFER_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_truncate is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_truncate") int handle_sys_enter_truncate(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TRUNCATE)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_TRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_truncate is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_truncate") int handle_sys_exit_truncate(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TRUNCATE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ftruncate is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_ftruncate") int handle_sys_enter_ftruncate(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FTRUNCATE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ftruncate is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_ftruncate") int handle_sys_exit_ftruncate(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FTRUNCATE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fallocate is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fallocate") int handle_sys_enter_fallocate(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FALLOCATE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FALLOCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fallocate is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fallocate") int handle_sys_exit_fallocate(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FALLOCATE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FALLOCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_faccessat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_faccessat") int handle_sys_enter_faccessat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FACCESSAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_faccessat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_faccessat") int handle_sys_exit_faccessat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FACCESSAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_faccessat2 is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_faccessat2") int handle_sys_enter_faccessat2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FACCESSAT2)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_faccessat2 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_faccessat2") int handle_sys_exit_faccessat2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FACCESSAT2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_access is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_access") int handle_sys_enter_access(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCESS)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_access is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_access") int handle_sys_exit_access(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_ACCESS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_chdir is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_chdir") int handle_sys_enter_chdir(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CHDIR)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_chdir is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_chdir") int handle_sys_exit_chdir(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CHDIR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchdir is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fchdir") int handle_sys_enter_fchdir(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHDIR)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchdir is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fchdir") int handle_sys_exit_fchdir(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FCHDIR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_chroot is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_chroot") int handle_sys_enter_chroot(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CHROOT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_chroot is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_chroot") int handle_sys_exit_chroot(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CHROOT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchmod is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fchmod") int handle_sys_enter_fchmod(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMOD)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchmod is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fchmod") int handle_sys_exit_fchmod(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FCHMOD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchmodat2 is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_fchmodat2") int handle_sys_enter_fchmodat2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMODAT2)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchmodat2 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fchmodat2") int handle_sys_exit_fchmodat2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FCHMODAT2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchmodat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_fchmodat") int handle_sys_enter_fchmodat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMODAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchmodat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fchmodat") int handle_sys_exit_fchmodat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FCHMODAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_chmod is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_chmod") int handle_sys_enter_chmod(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CHMOD)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_chmod is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_chmod") int handle_sys_exit_chmod(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CHMOD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchownat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_fchownat") int handle_sys_enter_fchownat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHOWNAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchownat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fchownat") int handle_sys_exit_fchownat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FCHOWNAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_chown is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_chown") int handle_sys_enter_chown(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CHOWN)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_chown is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_chown") int handle_sys_exit_chown(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CHOWN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lchown is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_lchown") int handle_sys_enter_lchown(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LCHOWN)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lchown is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_lchown") int handle_sys_exit_lchown(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LCHOWN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchown is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fchown") int handle_sys_enter_fchown(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHOWN)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchown is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fchown") int handle_sys_exit_fchown(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FCHOWN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_open is a struct open_event (kind=open) SEC("tracepoint/syscalls/sys_enter_open") int handle_sys_enter_open(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[1]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_open is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_open") int handle_sys_exit_open(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_OPEN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_openat is a struct open_event (kind=open) SEC("tracepoint/syscalls/sys_enter_openat") int handle_sys_enter_openat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_OPENAT)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_openat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_openat") int handle_sys_exit_openat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_OPENAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_openat2 is a struct open_event (kind=open) SEC("tracepoint/syscalls/sys_enter_openat2") int handle_sys_enter_openat2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_OPENAT2)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPENAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = -1; // Probably OK bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_openat2 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_openat2") int handle_sys_exit_openat2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_OPENAT2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPENAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_creat is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_creat") int handle_sys_enter_creat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CREAT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CREAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_creat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_creat") int handle_sys_exit_creat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CREAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CREAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_close is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_close") int handle_sys_enter_close(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOSE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_close is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_close") int handle_sys_exit_close(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLOSE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_vhangup is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_vhangup") int handle_sys_enter_vhangup(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_VHANGUP)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_VHANGUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_vhangup is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_vhangup") int handle_sys_exit_vhangup(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_VHANGUP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_VHANGUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_memfd_create is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_memfd_create") int handle_sys_enter_memfd_create(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMFD_CREATE)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_MEMFD_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[1]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_memfd_create is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_memfd_create") int handle_sys_exit_memfd_create(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MEMFD_CREATE, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_MEMFD_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_memfd_secret is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_memfd_secret") int handle_sys_enter_memfd_secret(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMFD_SECRET)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_MEMFD_SECRET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[0]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_memfd_secret is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_memfd_secret") int handle_sys_exit_memfd_secret(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MEMFD_SECRET, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_MEMFD_SECRET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_move_pages is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_move_pages") int handle_sys_enter_move_pages(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MOVE_PAGES)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MOVE_PAGES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_move_pages is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_move_pages") int handle_sys_exit_move_pages(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MOVE_PAGES, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MOVE_PAGES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_set_mempolicy_home_node is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_set_mempolicy_home_node") int handle_sys_enter_set_mempolicy_home_node(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_MEMPOLICY_HOME_NODE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SET_MEMPOLICY_HOME_NODE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_set_mempolicy_home_node is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_set_mempolicy_home_node") int handle_sys_exit_set_mempolicy_home_node(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SET_MEMPOLICY_HOME_NODE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SET_MEMPOLICY_HOME_NODE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mbind is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_mbind") int handle_sys_enter_mbind(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MBIND)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MBIND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mbind is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mbind") int handle_sys_exit_mbind(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MBIND, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MBIND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_set_mempolicy is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_set_mempolicy") int handle_sys_enter_set_mempolicy(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_MEMPOLICY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SET_MEMPOLICY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_set_mempolicy is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_set_mempolicy") int handle_sys_exit_set_mempolicy(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SET_MEMPOLICY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SET_MEMPOLICY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_migrate_pages is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_migrate_pages") int handle_sys_enter_migrate_pages(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MIGRATE_PAGES)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MIGRATE_PAGES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_migrate_pages is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_migrate_pages") int handle_sys_exit_migrate_pages(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MIGRATE_PAGES, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MIGRATE_PAGES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_get_mempolicy is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_get_mempolicy") int handle_sys_enter_get_mempolicy(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GET_MEMPOLICY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GET_MEMPOLICY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_get_mempolicy is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_get_mempolicy") int handle_sys_exit_get_mempolicy(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GET_MEMPOLICY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GET_MEMPOLICY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_swapoff is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_swapoff") int handle_sys_enter_swapoff(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SWAPOFF)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_SWAPOFF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_swapoff is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_swapoff") int handle_sys_exit_swapoff(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SWAPOFF, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SWAPOFF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_swapon is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_swapon") int handle_sys_enter_swapon(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SWAPON)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_SWAPON; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_swapon is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_swapon") int handle_sys_exit_swapon(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SWAPON, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SWAPON; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_madvise is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_madvise") int handle_sys_enter_madvise(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MADVISE)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MADVISE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_madvise is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_madvise") int handle_sys_exit_madvise(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MADVISE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MADVISE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_process_madvise is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_process_madvise") int handle_sys_enter_process_madvise(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_MADVISE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PROCESS_MADVISE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_process_madvise is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_process_madvise") int handle_sys_exit_process_madvise(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PROCESS_MADVISE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PROCESS_MADVISE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mseal is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_mseal") int handle_sys_enter_mseal(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MSEAL)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MSEAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mseal is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mseal") int handle_sys_exit_mseal(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MSEAL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MSEAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_process_vm_readv is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_process_vm_readv") int handle_sys_enter_process_vm_readv(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_VM_READV)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_PROCESS_VM_READV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_process_vm_readv is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_process_vm_readv") int handle_sys_exit_process_vm_readv(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PROCESS_VM_READV, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PROCESS_VM_READV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_process_vm_writev is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_process_vm_writev") int handle_sys_enter_process_vm_writev(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_VM_WRITEV)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_PROCESS_VM_WRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_process_vm_writev is a struct ret_event (WRITE_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_process_vm_writev") int handle_sys_exit_process_vm_writev(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PROCESS_VM_WRITEV, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PROCESS_VM_WRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_msync is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_msync") int handle_sys_enter_msync(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MSYNC)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_msync is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_msync") int handle_sys_exit_msync(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MSYNC, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mremap is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_mremap") int handle_sys_enter_mremap(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MREMAP)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MREMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = (__u64)ctx->args[2]; ev->flags = (__u64)ctx->args[3]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mremap is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mremap") int handle_sys_exit_mremap(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MREMAP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MREMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mprotect is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_mprotect") int handle_sys_enter_mprotect(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MPROTECT)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MPROTECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mprotect is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mprotect") int handle_sys_exit_mprotect(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MPROTECT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MPROTECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pkey_mprotect is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_pkey_mprotect") int handle_sys_enter_pkey_mprotect(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_MPROTECT)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_PKEY_MPROTECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = (__u64)ctx->args[3]; ev->flags = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pkey_mprotect is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pkey_mprotect") int handle_sys_exit_pkey_mprotect(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PKEY_MPROTECT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PKEY_MPROTECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pkey_alloc is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_pkey_alloc") int handle_sys_enter_pkey_alloc(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_ALLOC)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_PKEY_ALLOC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pkey_alloc is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pkey_alloc") int handle_sys_exit_pkey_alloc(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PKEY_ALLOC, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PKEY_ALLOC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pkey_free is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_pkey_free") int handle_sys_enter_pkey_free(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_FREE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_PKEY_FREE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pkey_free is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pkey_free") int handle_sys_exit_pkey_free(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PKEY_FREE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PKEY_FREE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_brk is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_brk") int handle_sys_enter_brk(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_BRK)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_BRK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = 0; ev->length2 = 0; ev->flags = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_brk is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_brk") int handle_sys_exit_brk(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_BRK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_BRK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_munmap is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_munmap") int handle_sys_enter_munmap(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNMAP)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MUNMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_munmap is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_munmap") int handle_sys_exit_munmap(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MUNMAP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MUNMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_remap_file_pages is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_remap_file_pages") int handle_sys_enter_remap_file_pages(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_REMAP_FILE_PAGES)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_REMAP_FILE_PAGES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = (__u64)ctx->args[3]; ev->flags = (__u64)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_remap_file_pages is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_remap_file_pages") int handle_sys_exit_remap_file_pages(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_REMAP_FILE_PAGES, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_REMAP_FILE_PAGES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mlock is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_mlock") int handle_sys_enter_mlock(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCK)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mlock is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mlock") int handle_sys_exit_mlock(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MLOCK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mlock2 is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_mlock2") int handle_sys_enter_mlock2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCK2)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MLOCK2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mlock2 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mlock2") int handle_sys_exit_mlock2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MLOCK2, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MLOCK2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_munlock is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_munlock") int handle_sys_enter_munlock(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNLOCK)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MUNLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_munlock is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_munlock") int handle_sys_exit_munlock(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MUNLOCK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MUNLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mlockall is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_mlockall") int handle_sys_enter_mlockall(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCKALL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MLOCKALL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mlockall is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mlockall") int handle_sys_exit_mlockall(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MLOCKALL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MLOCKALL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_munlockall is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_munlockall") int handle_sys_enter_munlockall(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNLOCKALL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MUNLOCKALL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_munlockall is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_munlockall") int handle_sys_exit_munlockall(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MUNLOCKALL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MUNLOCKALL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mincore is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_mincore") int handle_sys_enter_mincore(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MINCORE)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MINCORE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = 0; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mincore is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mincore") int handle_sys_exit_mincore(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MINCORE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MINCORE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_readahead is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_readahead") int handle_sys_enter_readahead(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_READAHEAD)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_READAHEAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_readahead is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_readahead") int handle_sys_exit_readahead(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_READAHEAD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READAHEAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fadvise64 is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_fadvise64") int handle_sys_enter_fadvise64(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FADVISE64)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FADVISE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fadvise64 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fadvise64") int handle_sys_exit_fadvise64(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FADVISE64, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FADVISE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_process_mrelease is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_process_mrelease") int handle_sys_enter_process_mrelease(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_MRELEASE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PROCESS_MRELEASE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_process_mrelease is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_process_mrelease") int handle_sys_exit_process_mrelease(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PROCESS_MRELEASE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PROCESS_MRELEASE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_cachestat is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_cachestat") int handle_sys_enter_cachestat(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CACHESTAT)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_CACHESTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_cachestat is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_cachestat") int handle_sys_exit_cachestat(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CACHESTAT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CACHESTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rseq is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rseq") int handle_sys_enter_rseq(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RSEQ)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RSEQ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rseq is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rseq") int handle_sys_exit_rseq(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RSEQ, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RSEQ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_perf_event_open is a struct perf_open_event (kind=perf-open) SEC("tracepoint/syscalls/sys_enter_perf_event_open") int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PERF_EVENT_OPEN)) return 0; struct perf_open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct perf_open_event), 0); if (!ev) return 0; ev->event_type = ENTER_PERF_OPEN_EVENT; ev->trace_id = SYS_ENTER_PERF_EVENT_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->attr_type = 0; ev->attr_size = 0; ev->config = 0; if (ctx->args[0] != 0) { struct __ior_perf_event_attr { __u32 type; __u32 size; __u64 config; } attr = {}; if (bpf_probe_read_user(&attr, sizeof(attr), (void *)ctx->args[0]) == 0) { ev->attr_type = attr.type; ev->attr_size = attr.size; ev->config = attr.config; } } ev->target_pid = (__s32)ctx->args[1]; ev->cpu = (__s32)ctx->args[2]; ev->group_fd = (__s32)ctx->args[3]; ev->flags = (__u32)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_perf_event_open is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_perf_event_open") int handle_sys_exit_perf_event_open(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PERF_EVENT_OPEN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PERF_EVENT_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_bpf is a struct null_event (kind=bpf) SEC("tracepoint/syscalls/sys_enter_bpf") int handle_sys_enter_bpf(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_BPF)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_BPF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_bpf is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_bpf") int handle_sys_exit_bpf(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_BPF, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_BPF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_seccomp is a struct null_event (kind=seccomp) SEC("tracepoint/syscalls/sys_enter_seccomp") int handle_sys_enter_seccomp(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SECCOMP)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SECCOMP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_seccomp is a struct null_event (kind=seccomp) SEC("tracepoint/syscalls/sys_exit_seccomp") int handle_sys_exit_seccomp(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SECCOMP, ctx->ret)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = EXIT_NULL_EVENT; ev->trace_id = SYS_EXIT_SECCOMP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_kexec_file_load is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_kexec_file_load") int handle_sys_enter_kexec_file_load(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_KEXEC_FILE_LOAD)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_KEXEC_FILE_LOAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_kexec_file_load is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_kexec_file_load") int handle_sys_exit_kexec_file_load(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_KEXEC_FILE_LOAD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_KEXEC_FILE_LOAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_kexec_load is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_kexec_load") int handle_sys_enter_kexec_load(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_KEXEC_LOAD)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_KEXEC_LOAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_kexec_load is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_kexec_load") int handle_sys_exit_kexec_load(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_KEXEC_LOAD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_KEXEC_LOAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_acct is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_acct") int handle_sys_enter_acct(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCT)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_ACCT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_acct is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_acct") int handle_sys_exit_acct(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_ACCT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_ACCT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_set_robust_list is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_set_robust_list") int handle_sys_enter_set_robust_list(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_ROBUST_LIST)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SET_ROBUST_LIST; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_set_robust_list is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_set_robust_list") int handle_sys_exit_set_robust_list(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SET_ROBUST_LIST, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SET_ROBUST_LIST; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_get_robust_list is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_get_robust_list") int handle_sys_enter_get_robust_list(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GET_ROBUST_LIST)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GET_ROBUST_LIST; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_get_robust_list is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_get_robust_list") int handle_sys_exit_get_robust_list(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GET_ROBUST_LIST, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GET_ROBUST_LIST; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_futex is a struct null_event (kind=futex) SEC("tracepoint/syscalls/sys_enter_futex") int handle_sys_enter_futex(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_FUTEX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_futex is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_futex") int handle_sys_exit_futex(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FUTEX, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FUTEX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_futex_waitv is a struct null_event (kind=futex) SEC("tracepoint/syscalls/sys_enter_futex_waitv") int handle_sys_enter_futex_waitv(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAITV)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_FUTEX_WAITV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_futex_waitv is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_futex_waitv") int handle_sys_exit_futex_waitv(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FUTEX_WAITV, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FUTEX_WAITV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_futex_wake is a struct null_event (kind=futex) SEC("tracepoint/syscalls/sys_enter_futex_wake") int handle_sys_enter_futex_wake(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAKE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_FUTEX_WAKE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_futex_wake is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_futex_wake") int handle_sys_exit_futex_wake(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FUTEX_WAKE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FUTEX_WAKE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_futex_wait is a struct null_event (kind=futex) SEC("tracepoint/syscalls/sys_enter_futex_wait") int handle_sys_enter_futex_wait(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAIT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_FUTEX_WAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_futex_wait is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_futex_wait") int handle_sys_exit_futex_wait(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FUTEX_WAIT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FUTEX_WAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_futex_requeue is a struct null_event (kind=futex) SEC("tracepoint/syscalls/sys_enter_futex_requeue") int handle_sys_enter_futex_requeue(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_REQUEUE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_FUTEX_REQUEUE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_futex_requeue is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_futex_requeue") int handle_sys_exit_futex_requeue(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FUTEX_REQUEUE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FUTEX_REQUEUE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getitimer is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getitimer") int handle_sys_enter_getitimer(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETITIMER)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETITIMER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getitimer is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getitimer") int handle_sys_exit_getitimer(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETITIMER, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETITIMER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_alarm is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_alarm") int handle_sys_enter_alarm(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_ALARM)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_ALARM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_alarm is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_alarm") int handle_sys_exit_alarm(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_ALARM, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_ALARM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setitimer is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setitimer") int handle_sys_enter_setitimer(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETITIMER)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETITIMER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setitimer is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setitimer") int handle_sys_exit_setitimer(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETITIMER, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETITIMER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_timer_create is a struct null_event (kind=timer-obj) SEC("tracepoint/syscalls/sys_enter_timer_create") int handle_sys_enter_timer_create(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_CREATE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TIMER_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_timer_create is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_timer_create") int handle_sys_exit_timer_create(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMER_CREATE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIMER_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_timer_gettime is a struct null_event (kind=timer-obj) SEC("tracepoint/syscalls/sys_enter_timer_gettime") int handle_sys_enter_timer_gettime(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_GETTIME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TIMER_GETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_timer_gettime is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_timer_gettime") int handle_sys_exit_timer_gettime(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMER_GETTIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIMER_GETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_timer_getoverrun is a struct null_event (kind=timer-obj) SEC("tracepoint/syscalls/sys_enter_timer_getoverrun") int handle_sys_enter_timer_getoverrun(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_GETOVERRUN)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TIMER_GETOVERRUN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_timer_getoverrun is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_timer_getoverrun") int handle_sys_exit_timer_getoverrun(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMER_GETOVERRUN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIMER_GETOVERRUN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_timer_settime is a struct null_event (kind=timer-obj) SEC("tracepoint/syscalls/sys_enter_timer_settime") int handle_sys_enter_timer_settime(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_SETTIME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TIMER_SETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_timer_settime is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_timer_settime") int handle_sys_exit_timer_settime(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMER_SETTIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIMER_SETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_timer_delete is a struct null_event (kind=timer-obj) SEC("tracepoint/syscalls/sys_enter_timer_delete") int handle_sys_enter_timer_delete(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_DELETE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TIMER_DELETE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_timer_delete is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_timer_delete") int handle_sys_exit_timer_delete(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMER_DELETE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIMER_DELETE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_clock_settime is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_clock_settime") int handle_sys_enter_clock_settime(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_SETTIME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_CLOCK_SETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_clock_settime is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_clock_settime") int handle_sys_exit_clock_settime(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLOCK_SETTIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOCK_SETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_clock_gettime is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_clock_gettime") int handle_sys_enter_clock_gettime(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_GETTIME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_CLOCK_GETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_clock_gettime is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_clock_gettime") int handle_sys_exit_clock_gettime(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLOCK_GETTIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOCK_GETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_clock_adjtime is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_clock_adjtime") int handle_sys_enter_clock_adjtime(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_ADJTIME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_CLOCK_ADJTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_clock_adjtime is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_clock_adjtime") int handle_sys_exit_clock_adjtime(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLOCK_ADJTIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOCK_ADJTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_clock_getres is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_clock_getres") int handle_sys_enter_clock_getres(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_GETRES)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_CLOCK_GETRES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_clock_getres is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_clock_getres") int handle_sys_exit_clock_getres(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLOCK_GETRES, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOCK_GETRES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_clock_nanosleep is a struct sleep_event (kind=sleep) SEC("tracepoint/syscalls/sys_enter_clock_nanosleep") int handle_sys_enter_clock_nanosleep(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_NANOSLEEP)) return 0; struct sleep_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct sleep_event), 0); if (!ev) return 0; ev->event_type = ENTER_SLEEP_EVENT; ev->trace_id = SYS_ENTER_CLOCK_NANOSLEEP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->requested_ns = -1; if (ctx->args[2] != 0) { struct __ior_timespec { __s64 tv_sec; __s64 tv_nsec; } ts = {}; if (bpf_probe_read_user(&ts, sizeof(ts), (void *)ctx->args[2]) == 0) { if ((ctx->args[1] & 1 /* TIMER_ABSTIME */) == 0) { ev->requested_ns = ts.tv_sec * 1000000000LL + ts.tv_nsec; } } } bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_clock_nanosleep is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_clock_nanosleep") int handle_sys_exit_clock_nanosleep(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLOCK_NANOSLEEP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOCK_NANOSLEEP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_nanosleep is a struct sleep_event (kind=sleep) SEC("tracepoint/syscalls/sys_enter_nanosleep") int handle_sys_enter_nanosleep(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_NANOSLEEP)) return 0; struct sleep_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct sleep_event), 0); if (!ev) return 0; ev->event_type = ENTER_SLEEP_EVENT; ev->trace_id = SYS_ENTER_NANOSLEEP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->requested_ns = -1; if (ctx->args[0] != 0) { struct __ior_timespec { __s64 tv_sec; __s64 tv_nsec; } ts = {}; if (bpf_probe_read_user(&ts, sizeof(ts), (void *)ctx->args[0]) == 0) { ev->requested_ns = ts.tv_sec * 1000000000LL + ts.tv_nsec; } } bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_nanosleep is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_nanosleep") int handle_sys_exit_nanosleep(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_NANOSLEEP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NANOSLEEP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_time is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_time") int handle_sys_enter_time(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_time is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_time") int handle_sys_exit_time(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_gettimeofday is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_gettimeofday") int handle_sys_enter_gettimeofday(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETTIMEOFDAY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETTIMEOFDAY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_gettimeofday is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_gettimeofday") int handle_sys_exit_gettimeofday(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETTIMEOFDAY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETTIMEOFDAY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_settimeofday is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_settimeofday") int handle_sys_enter_settimeofday(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETTIMEOFDAY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETTIMEOFDAY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_settimeofday is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_settimeofday") int handle_sys_exit_settimeofday(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETTIMEOFDAY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETTIMEOFDAY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_adjtimex is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_adjtimex") int handle_sys_enter_adjtimex(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_ADJTIMEX)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_ADJTIMEX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_adjtimex is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_adjtimex") int handle_sys_exit_adjtimex(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_ADJTIMEX, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_ADJTIMEX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_kcmp is a struct two_fd_event (kind=two-fd) SEC("tracepoint/syscalls/sys_enter_kcmp") int handle_sys_enter_kcmp(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_KCMP)) return 0; struct two_fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct two_fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_TWO_FD_EVENT; ev->trace_id = SYS_ENTER_KCMP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd_a = (__s32)ctx->args[3]; ev->fd_b = (__s32)ctx->args[4]; ev->extra = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_kcmp is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_kcmp") int handle_sys_exit_kcmp(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_KCMP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_KCMP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_delete_module is a struct null_event (kind=module) SEC("tracepoint/syscalls/sys_enter_delete_module") int handle_sys_enter_delete_module(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_DELETE_MODULE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_DELETE_MODULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_delete_module is a struct null_event (kind=module) SEC("tracepoint/syscalls/sys_exit_delete_module") int handle_sys_exit_delete_module(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_DELETE_MODULE, ctx->ret)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = EXIT_NULL_EVENT; ev->trace_id = SYS_EXIT_DELETE_MODULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_init_module is a struct null_event (kind=module) SEC("tracepoint/syscalls/sys_enter_init_module") int handle_sys_enter_init_module(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_INIT_MODULE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_INIT_MODULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_init_module is a struct null_event (kind=module) SEC("tracepoint/syscalls/sys_exit_init_module") int handle_sys_exit_init_module(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_INIT_MODULE, ctx->ret)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = EXIT_NULL_EVENT; ev->trace_id = SYS_EXIT_INIT_MODULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_finit_module is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_finit_module") int handle_sys_enter_finit_module(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FINIT_MODULE)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FINIT_MODULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_finit_module is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_finit_module") int handle_sys_exit_finit_module(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FINIT_MODULE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FINIT_MODULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_syslog is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_syslog") int handle_sys_enter_syslog(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSLOG)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SYSLOG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_syslog is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_syslog") int handle_sys_exit_syslog(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SYSLOG, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYSLOG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_membarrier is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_membarrier") int handle_sys_enter_membarrier(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMBARRIER)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MEMBARRIER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_membarrier is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_membarrier") int handle_sys_exit_membarrier(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MEMBARRIER, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MEMBARRIER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_setscheduler is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_setscheduler") int handle_sys_enter_sched_setscheduler(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETSCHEDULER)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_SETSCHEDULER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_setscheduler is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_setscheduler") int handle_sys_exit_sched_setscheduler(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_SETSCHEDULER, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_SETSCHEDULER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_setparam is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_setparam") int handle_sys_enter_sched_setparam(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETPARAM)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_SETPARAM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_setparam is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_setparam") int handle_sys_exit_sched_setparam(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_SETPARAM, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_SETPARAM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_setattr is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_setattr") int handle_sys_enter_sched_setattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETATTR)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_setattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_setattr") int handle_sys_exit_sched_setattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_SETATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_getscheduler is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_getscheduler") int handle_sys_enter_sched_getscheduler(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETSCHEDULER)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_GETSCHEDULER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_getscheduler is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_getscheduler") int handle_sys_exit_sched_getscheduler(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_GETSCHEDULER, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_GETSCHEDULER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_getparam is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_getparam") int handle_sys_enter_sched_getparam(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETPARAM)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_GETPARAM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_getparam is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_getparam") int handle_sys_exit_sched_getparam(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_GETPARAM, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_GETPARAM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_getattr is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_getattr") int handle_sys_enter_sched_getattr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETATTR)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_GETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_getattr is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_getattr") int handle_sys_exit_sched_getattr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_GETATTR, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_GETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_setaffinity is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_setaffinity") int handle_sys_enter_sched_setaffinity(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETAFFINITY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_SETAFFINITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_setaffinity is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_setaffinity") int handle_sys_exit_sched_setaffinity(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_SETAFFINITY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_SETAFFINITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_getaffinity is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_getaffinity") int handle_sys_enter_sched_getaffinity(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETAFFINITY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_GETAFFINITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_getaffinity is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_getaffinity") int handle_sys_exit_sched_getaffinity(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_GETAFFINITY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_GETAFFINITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_yield is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_yield") int handle_sys_enter_sched_yield(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_YIELD)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_YIELD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_yield is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_yield") int handle_sys_exit_sched_yield(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_YIELD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_YIELD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_get_priority_max is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_get_priority_max") int handle_sys_enter_sched_get_priority_max(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GET_PRIORITY_MAX)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_GET_PRIORITY_MAX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_get_priority_max is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_get_priority_max") int handle_sys_exit_sched_get_priority_max(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_GET_PRIORITY_MAX, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_GET_PRIORITY_MAX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_get_priority_min is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_get_priority_min") int handle_sys_enter_sched_get_priority_min(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GET_PRIORITY_MIN)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_GET_PRIORITY_MIN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_get_priority_min is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_get_priority_min") int handle_sys_exit_sched_get_priority_min(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_GET_PRIORITY_MIN, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_GET_PRIORITY_MIN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sched_rr_get_interval is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sched_rr_get_interval") int handle_sys_enter_sched_rr_get_interval(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_RR_GET_INTERVAL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SCHED_RR_GET_INTERVAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sched_rr_get_interval is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sched_rr_get_interval") int handle_sys_exit_sched_rr_get_interval(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SCHED_RR_GET_INTERVAL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SCHED_RR_GET_INTERVAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getgroups is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getgroups") int handle_sys_enter_getgroups(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETGROUPS)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETGROUPS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getgroups is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getgroups") int handle_sys_exit_getgroups(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETGROUPS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETGROUPS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setgroups is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setgroups") int handle_sys_enter_setgroups(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETGROUPS)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETGROUPS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setgroups is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setgroups") int handle_sys_exit_setgroups(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETGROUPS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETGROUPS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_reboot is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_reboot") int handle_sys_enter_reboot(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_REBOOT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_REBOOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_reboot is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_reboot") int handle_sys_exit_reboot(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_REBOOT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_REBOOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_listns is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_listns") int handle_sys_enter_listns(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTNS)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_LISTNS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_listns is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_listns") int handle_sys_exit_listns(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_LISTNS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LISTNS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setns is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_setns") int handle_sys_enter_setns(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETNS)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SETNS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setns is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setns") int handle_sys_exit_setns(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETNS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETNS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pidfd_open is a struct eventfd_event (kind=pidfd) SEC("tracepoint/syscalls/sys_enter_pidfd_open") int handle_sys_enter_pidfd_open(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_OPEN)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_PIDFD_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = (__s32)ctx->args[1]; bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); ev->flags = flags; ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pidfd_open is a struct eventfd_event (kind=pidfd) SEC("tracepoint/syscalls/sys_exit_pidfd_open") int handle_sys_exit_pidfd_open(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PIDFD_OPEN, ctx->ret)) return 0; struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_PIDFD_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __s32 flags = 0; __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); if (pending) { flags = *pending; bpf_map_delete_elem(&eventfd_flags_map, &tid); } ev->flags = flags; ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pidfd_getfd is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_pidfd_getfd") int handle_sys_enter_pidfd_getfd(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_GETFD)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PIDFD_GETFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pidfd_getfd") int handle_sys_exit_pidfd_getfd(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PIDFD_GETFD, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PIDFD_GETFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setpriority is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setpriority") int handle_sys_enter_setpriority(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETPRIORITY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETPRIORITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setpriority is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setpriority") int handle_sys_exit_setpriority(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETPRIORITY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETPRIORITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getpriority is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getpriority") int handle_sys_enter_getpriority(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPRIORITY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETPRIORITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getpriority is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getpriority") int handle_sys_exit_getpriority(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETPRIORITY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETPRIORITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setregid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setregid") int handle_sys_enter_setregid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETREGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETREGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setregid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setregid") int handle_sys_exit_setregid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETREGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETREGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setgid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setgid") int handle_sys_enter_setgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setgid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setgid") int handle_sys_exit_setgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setreuid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setreuid") int handle_sys_enter_setreuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETREUID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETREUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setreuid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setreuid") int handle_sys_exit_setreuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETREUID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETREUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setuid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setuid") int handle_sys_enter_setuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETUID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setuid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setuid") int handle_sys_exit_setuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETUID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setresuid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setresuid") int handle_sys_enter_setresuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRESUID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETRESUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setresuid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setresuid") int handle_sys_exit_setresuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETRESUID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETRESUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getresuid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getresuid") int handle_sys_enter_getresuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRESUID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETRESUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getresuid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getresuid") int handle_sys_exit_getresuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETRESUID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETRESUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setresgid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setresgid") int handle_sys_enter_setresgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRESGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETRESGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setresgid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setresgid") int handle_sys_exit_setresgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETRESGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETRESGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getresgid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getresgid") int handle_sys_enter_getresgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRESGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETRESGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getresgid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getresgid") int handle_sys_exit_getresgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETRESGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETRESGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setfsuid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setfsuid") int handle_sys_enter_setfsuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETFSUID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETFSUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setfsuid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setfsuid") int handle_sys_exit_setfsuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETFSUID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETFSUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setfsgid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setfsgid") int handle_sys_enter_setfsgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETFSGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETFSGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setfsgid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setfsgid") int handle_sys_exit_setfsgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETFSGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETFSGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getpid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getpid") int handle_sys_enter_getpid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETPID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getpid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getpid") int handle_sys_exit_getpid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETPID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETPID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_gettid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_gettid") int handle_sys_enter_gettid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETTID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETTID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_gettid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_gettid") int handle_sys_exit_gettid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETTID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETTID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getppid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getppid") int handle_sys_enter_getppid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPPID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETPPID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getppid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getppid") int handle_sys_exit_getppid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETPPID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETPPID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getuid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getuid") int handle_sys_enter_getuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETUID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getuid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getuid") int handle_sys_exit_getuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETUID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_geteuid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_geteuid") int handle_sys_enter_geteuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETEUID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETEUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_geteuid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_geteuid") int handle_sys_exit_geteuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETEUID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETEUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getgid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getgid") int handle_sys_enter_getgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getgid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getgid") int handle_sys_exit_getgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getegid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getegid") int handle_sys_enter_getegid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETEGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETEGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getegid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getegid") int handle_sys_exit_getegid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETEGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETEGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_times is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_times") int handle_sys_enter_times(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMES)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TIMES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_times is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_times") int handle_sys_exit_times(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TIMES, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TIMES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setpgid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setpgid") int handle_sys_enter_setpgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETPGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETPGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setpgid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setpgid") int handle_sys_exit_setpgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETPGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETPGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getpgid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getpgid") int handle_sys_enter_getpgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPGID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETPGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getpgid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getpgid") int handle_sys_exit_getpgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETPGID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETPGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getpgrp is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getpgrp") int handle_sys_enter_getpgrp(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPGRP)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETPGRP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getpgrp is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getpgrp") int handle_sys_exit_getpgrp(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETPGRP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETPGRP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getsid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getsid") int handle_sys_enter_getsid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETSID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getsid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getsid") int handle_sys_exit_getsid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETSID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETSID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setsid is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setsid") int handle_sys_enter_setsid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETSID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETSID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setsid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setsid") int handle_sys_exit_setsid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETSID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETSID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newuname is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_newuname") int handle_sys_enter_newuname(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWUNAME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_NEWUNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newuname is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_newuname") int handle_sys_exit_newuname(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_NEWUNAME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWUNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sethostname is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sethostname") int handle_sys_enter_sethostname(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETHOSTNAME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETHOSTNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sethostname is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sethostname") int handle_sys_exit_sethostname(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETHOSTNAME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETHOSTNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setdomainname is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setdomainname") int handle_sys_enter_setdomainname(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETDOMAINNAME)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETDOMAINNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setdomainname is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setdomainname") int handle_sys_exit_setdomainname(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETDOMAINNAME, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETDOMAINNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getrlimit is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getrlimit") int handle_sys_enter_getrlimit(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRLIMIT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETRLIMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getrlimit is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getrlimit") int handle_sys_exit_getrlimit(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETRLIMIT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETRLIMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_prlimit64 is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_prlimit64") int handle_sys_enter_prlimit64(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PRLIMIT64)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_PRLIMIT64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_prlimit64 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_prlimit64") int handle_sys_exit_prlimit64(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PRLIMIT64, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PRLIMIT64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setrlimit is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_setrlimit") int handle_sys_enter_setrlimit(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRLIMIT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SETRLIMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setrlimit is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_setrlimit") int handle_sys_exit_setrlimit(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SETRLIMIT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETRLIMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getrusage is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getrusage") int handle_sys_enter_getrusage(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRUSAGE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETRUSAGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getrusage is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getrusage") int handle_sys_exit_getrusage(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETRUSAGE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETRUSAGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_umask is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_umask") int handle_sys_enter_umask(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UMASK)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_UMASK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_umask is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_umask") int handle_sys_exit_umask(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UMASK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UMASK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_prctl is a struct null_event (kind=prctl) SEC("tracepoint/syscalls/sys_enter_prctl") int handle_sys_enter_prctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PRCTL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_PRCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_prctl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_prctl") int handle_sys_exit_prctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PRCTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PRCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getcpu is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_getcpu") int handle_sys_enter_getcpu(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_GETCPU)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETCPU; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getcpu is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getcpu") int handle_sys_exit_getcpu(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_GETCPU, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETCPU; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sysinfo is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sysinfo") int handle_sys_enter_sysinfo(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSINFO)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SYSINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sysinfo is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sysinfo") int handle_sys_exit_sysinfo(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SYSINFO, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYSINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_restart_syscall is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_restart_syscall") int handle_sys_enter_restart_syscall(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RESTART_SYSCALL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RESTART_SYSCALL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_restart_syscall is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_restart_syscall") int handle_sys_exit_restart_syscall(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RESTART_SYSCALL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RESTART_SYSCALL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rt_sigprocmask is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rt_sigprocmask") int handle_sys_enter_rt_sigprocmask(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGPROCMASK)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RT_SIGPROCMASK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rt_sigprocmask is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rt_sigprocmask") int handle_sys_exit_rt_sigprocmask(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RT_SIGPROCMASK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RT_SIGPROCMASK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rt_sigpending is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rt_sigpending") int handle_sys_enter_rt_sigpending(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGPENDING)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RT_SIGPENDING; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rt_sigpending is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rt_sigpending") int handle_sys_exit_rt_sigpending(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RT_SIGPENDING, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RT_SIGPENDING; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rt_sigtimedwait is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rt_sigtimedwait") int handle_sys_enter_rt_sigtimedwait(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGTIMEDWAIT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RT_SIGTIMEDWAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rt_sigtimedwait is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rt_sigtimedwait") int handle_sys_exit_rt_sigtimedwait(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RT_SIGTIMEDWAIT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RT_SIGTIMEDWAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_kill is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_kill") int handle_sys_enter_kill(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_KILL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_KILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_kill is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_kill") int handle_sys_exit_kill(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_KILL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_KILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pidfd_send_signal is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_pidfd_send_signal") int handle_sys_enter_pidfd_send_signal(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_SEND_SIGNAL)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PIDFD_SEND_SIGNAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pidfd_send_signal is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pidfd_send_signal") int handle_sys_exit_pidfd_send_signal(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PIDFD_SEND_SIGNAL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PIDFD_SEND_SIGNAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_tgkill is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_tgkill") int handle_sys_enter_tgkill(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TGKILL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TGKILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_tgkill is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_tgkill") int handle_sys_exit_tgkill(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TGKILL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TGKILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_tkill is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_tkill") int handle_sys_enter_tkill(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_TKILL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_TKILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_tkill is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_tkill") int handle_sys_exit_tkill(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_TKILL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TKILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rt_sigqueueinfo is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rt_sigqueueinfo") int handle_sys_enter_rt_sigqueueinfo(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGQUEUEINFO)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RT_SIGQUEUEINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rt_sigqueueinfo is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rt_sigqueueinfo") int handle_sys_exit_rt_sigqueueinfo(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RT_SIGQUEUEINFO, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RT_SIGQUEUEINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rt_tgsigqueueinfo is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rt_tgsigqueueinfo") int handle_sys_enter_rt_tgsigqueueinfo(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_TGSIGQUEUEINFO)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RT_TGSIGQUEUEINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rt_tgsigqueueinfo is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rt_tgsigqueueinfo") int handle_sys_exit_rt_tgsigqueueinfo(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RT_TGSIGQUEUEINFO, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RT_TGSIGQUEUEINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sigaltstack is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_sigaltstack") int handle_sys_enter_sigaltstack(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGALTSTACK)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SIGALTSTACK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sigaltstack is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_sigaltstack") int handle_sys_exit_sigaltstack(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SIGALTSTACK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SIGALTSTACK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rt_sigaction is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rt_sigaction") int handle_sys_enter_rt_sigaction(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGACTION)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RT_SIGACTION; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rt_sigaction is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rt_sigaction") int handle_sys_exit_rt_sigaction(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RT_SIGACTION, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RT_SIGACTION; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pause is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_pause") int handle_sys_enter_pause(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PAUSE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_PAUSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pause is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_pause") int handle_sys_exit_pause(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PAUSE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PAUSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rt_sigsuspend is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rt_sigsuspend") int handle_sys_enter_rt_sigsuspend(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGSUSPEND)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RT_SIGSUSPEND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rt_sigsuspend is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_rt_sigsuspend") int handle_sys_exit_rt_sigsuspend(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_RT_SIGSUSPEND, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RT_SIGSUSPEND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ptrace is a struct ptrace_event (kind=ptrace) SEC("tracepoint/syscalls/sys_enter_ptrace") int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PTRACE)) return 0; struct ptrace_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ptrace_event), 0); if (!ev) return 0; ev->event_type = ENTER_PTRACE_EVENT; ev->trace_id = SYS_ENTER_PTRACE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->request = (__s64)ctx->args[0]; ev->target_pid = (__s32)ctx->args[1]; ev->data = (__u64)ctx->args[3]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ptrace is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_ptrace") int handle_sys_exit_ptrace(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PTRACE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PTRACE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_capget is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_capget") int handle_sys_enter_capget(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CAPGET)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_CAPGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_capget is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_capget") int handle_sys_exit_capget(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CAPGET, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CAPGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_capset is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_capset") int handle_sys_enter_capset(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CAPSET)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_CAPSET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_capset is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_capset") int handle_sys_exit_capset(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CAPSET, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CAPSET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_exit is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_exit") int handle_sys_enter_exit(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_noreturn_syscall_enter(SYS_ENTER_EXIT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_EXIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_exit_group is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_exit_group") int handle_sys_enter_exit_group(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_noreturn_syscall_enter(SYS_ENTER_EXIT_GROUP)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_EXIT_GROUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_waitid is a struct null_event (kind=proc) SEC("tracepoint/syscalls/sys_enter_waitid") int handle_sys_enter_waitid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_WAITID)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_WAITID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_waitid is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_waitid") int handle_sys_exit_waitid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_WAITID, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_WAITID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_wait4 is a struct null_event (kind=proc) SEC("tracepoint/syscalls/sys_enter_wait4") int handle_sys_enter_wait4(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_WAIT4)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_WAIT4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_wait4 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_wait4") int handle_sys_exit_wait4(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_WAIT4, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_WAIT4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_personality is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_personality") int handle_sys_enter_personality(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_PERSONALITY)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_PERSONALITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_personality is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_personality") int handle_sys_exit_personality(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_PERSONALITY, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PERSONALITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_set_tid_address is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_set_tid_address") int handle_sys_enter_set_tid_address(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_TID_ADDRESS)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SET_TID_ADDRESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_set_tid_address is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_set_tid_address") int handle_sys_exit_set_tid_address(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_SET_TID_ADDRESS, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SET_TID_ADDRESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fork is a struct null_event (kind=proc) SEC("tracepoint/syscalls/sys_enter_fork") int handle_sys_enter_fork(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_FORK)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_FORK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fork is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_fork") int handle_sys_exit_fork(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_FORK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FORK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_vfork is a struct null_event (kind=proc) SEC("tracepoint/syscalls/sys_enter_vfork") int handle_sys_enter_vfork(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_VFORK)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_VFORK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_vfork is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_vfork") int handle_sys_exit_vfork(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_VFORK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_VFORK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_clone is a struct null_event (kind=proc) SEC("tracepoint/syscalls/sys_enter_clone") int handle_sys_enter_clone(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLONE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_CLONE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_clone is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_clone") int handle_sys_exit_clone(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLONE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLONE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_clone3 is a struct null_event (kind=proc) SEC("tracepoint/syscalls/sys_enter_clone3") int handle_sys_enter_clone3(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_CLONE3)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_CLONE3; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_clone3 is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_clone3") int handle_sys_exit_clone3(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_CLONE3, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLONE3; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_unshare is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_unshare") int handle_sys_enter_unshare(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UNSHARE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_UNSHARE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_unshare is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_unshare") int handle_sys_exit_unshare(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UNSHARE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UNSHARE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_map_shadow_stack is a struct mem_event (kind=mem) SEC("tracepoint/syscalls/sys_enter_map_shadow_stack") int handle_sys_enter_map_shadow_stack(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MAP_SHADOW_STACK)) return 0; struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; ev->event_type = ENTER_MEM_EVENT; ev->trace_id = SYS_ENTER_MAP_SHADOW_STACK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->addr = (__u64)ctx->args[0]; ev->length = (__u64)ctx->args[1]; ev->length2 = 0; ev->flags = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_map_shadow_stack is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_map_shadow_stack") int handle_sys_exit_map_shadow_stack(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MAP_SHADOW_STACK, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MAP_SHADOW_STACK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_uretprobe is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_uretprobe") int handle_sys_enter_uretprobe(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_URETPROBE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_URETPROBE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_uretprobe is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_uretprobe") int handle_sys_exit_uretprobe(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_URETPROBE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_URETPROBE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_uprobe is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_uprobe") int handle_sys_enter_uprobe(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_UPROBE)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_UPROBE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_uprobe is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_uprobe") int handle_sys_exit_uprobe(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_UPROBE, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UPROBE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_arch_prctl is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_arch_prctl") int handle_sys_enter_arch_prctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_ARCH_PRCTL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_ARCH_PRCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_arch_prctl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_arch_prctl") int handle_sys_exit_arch_prctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_ARCH_PRCTL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_ARCH_PRCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mmap is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_mmap") int handle_sys_enter_mmap(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MMAP)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_MMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mmap is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_mmap") int handle_sys_exit_mmap(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MMAP, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_modify_ldt is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_modify_ldt") int handle_sys_enter_modify_ldt(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_MODIFY_LDT)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MODIFY_LDT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_modify_ldt is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_modify_ldt") int handle_sys_exit_modify_ldt(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_MODIFY_LDT, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MODIFY_LDT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ioperm is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_ioperm") int handle_sys_enter_ioperm(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPERM)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IOPERM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ioperm is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_ioperm") int handle_sys_exit_ioperm(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IOPERM, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IOPERM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_iopl is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_iopl") int handle_sys_enter_iopl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPL)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IOPL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_iopl is a struct ret_event (UNCLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_iopl") int handle_sys_exit_iopl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_syscall_exit(tid, SYS_ENTER_IOPL, ctx->ret)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IOPL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rt_sigreturn is a struct null_event (kind=null) SEC("tracepoint/syscalls/sys_enter_rt_sigreturn") int handle_sys_enter_rt_sigreturn(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; if (!ior_on_noreturn_syscall_enter(SYS_ENTER_RT_SIGRETURN)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_RT_SIGRETURN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; }