// Code generated - don't change manually! /// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related /// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related /// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related /// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related /// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related /// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related /// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related /// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related /// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related /// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related /// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related /// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related /// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related /// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related /// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related /// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related /// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related /// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related /// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related /// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related /// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related /// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related /// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related /// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related /// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related /// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related /// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related /// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related /// Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related /// Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related /// Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related /// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related /// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related /// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related /// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related /// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related /// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related /// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related /// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related /// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related /// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related /// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related /// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related /// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related /// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related /// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related /// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related /// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related /// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related /// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related /// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related /// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related /// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related /// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related /// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related /// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related /// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related /// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related /// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related /// Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related /// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related /// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related /// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related /// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related /// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related /// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related /// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related /// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related /// Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related /// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related /// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related /// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related /// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related /// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related /// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related /// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related /// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related /// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related /// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related /// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related /// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related /// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related /// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related /// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related /// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related /// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related /// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related /// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related /// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related /// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related /// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related /// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related /// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related /// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related /// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related /// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related /// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related /// Ignoring sys_enter_mknodat sys_exit_mknodat as possibly not file I/O related /// Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related /// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related /// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related /// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related /// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related /// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related /// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related /// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related /// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related /// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related /// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related /// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related /// Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related /// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related /// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related /// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related /// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related /// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related /// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related /// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related /// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related /// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related /// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related /// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related /// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related /// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related /// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related /// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related /// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related /// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related /// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related /// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related /// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related /// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related /// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related /// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related /// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related /// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related /// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related /// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related /// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related /// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related /// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related /// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related /// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related /// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related /// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related /// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related /// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related /// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related /// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related /// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related /// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related /// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related /// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related /// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related /// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related /// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related /// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related /// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related /// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related /// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related /// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related /// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related /// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related /// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related /// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related /// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related /// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related /// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related /// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related /// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related /// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related /// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related /// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related /// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related /// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related /// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related /// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related /// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related /// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related /// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related /// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related /// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related /// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related /// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related /// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related /// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related /// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related /// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related /// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related /// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related /// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related /// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related /// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related /// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related /// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related /// Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related /// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related /// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related /// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related /// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related /// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related /// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related /// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related /// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related /// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related /// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related /// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related /// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related /// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related /// Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related /// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related /// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related /// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related /// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related /// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related /// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related /// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related /// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related /// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related /// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related /// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related /// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related /// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related /// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related /// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related /// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related /// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related /// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related /// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related /// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related /// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related /// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related /// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related /// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related /// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related /// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related /// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related /// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related /// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related /// Ignoring sys_enter_uprobe sys_exit_uprobe as possibly not file I/O related /// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related /// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related /// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related /// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related /// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related /// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related /// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related /// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related /// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related #define SYS_ENTER_IO_URING_REGISTER 1515 #define SYS_EXIT_IO_URING_REGISTER 1514 #define SYS_ENTER_IO_URING_ENTER 1496 #define SYS_EXIT_IO_URING_ENTER 1495 #define SYS_ENTER_IO_URING_SETUP 1494 #define SYS_EXIT_IO_URING_SETUP 1493 #define SYS_ENTER_QUOTACTL_FD 1151 #define SYS_EXIT_QUOTACTL_FD 1150 #define SYS_ENTER_NAME_TO_HANDLE_AT 1135 #define SYS_EXIT_NAME_TO_HANDLE_AT 1134 #define SYS_ENTER_OPEN_BY_HANDLE_AT 1133 #define SYS_EXIT_OPEN_BY_HANDLE_AT 1132 #define SYS_ENTER_FLOCK 1119 #define SYS_EXIT_FLOCK 1118 #define SYS_ENTER_IO_SETUP 1105 #define SYS_EXIT_IO_SETUP 1104 #define SYS_ENTER_IO_DESTROY 1103 #define SYS_EXIT_IO_DESTROY 1102 #define SYS_ENTER_IO_SUBMIT 1101 #define SYS_EXIT_IO_SUBMIT 1100 #define SYS_ENTER_IO_CANCEL 1099 #define SYS_EXIT_IO_CANCEL 1098 #define SYS_ENTER_IO_GETEVENTS 1097 #define SYS_EXIT_IO_GETEVENTS 1096 #define SYS_ENTER_IO_PGETEVENTS 1095 #define SYS_EXIT_IO_PGETEVENTS 1094 #define SYS_ENTER_FANOTIFY_MARK 1063 #define SYS_EXIT_FANOTIFY_MARK 1062 #define SYS_ENTER_FILE_GETATTR 1053 #define SYS_EXIT_FILE_GETATTR 1052 #define SYS_ENTER_FILE_SETATTR 1051 #define SYS_EXIT_FILE_SETATTR 1050 #define SYS_ENTER_FSPICK 1047 #define SYS_EXIT_FSPICK 1046 #define SYS_ENTER_FSCONFIG 1045 #define SYS_EXIT_FSCONFIG 1044 #define SYS_ENTER_STATFS 1043 #define SYS_EXIT_STATFS 1042 #define SYS_ENTER_FSTATFS 1041 #define SYS_EXIT_FSTATFS 1040 #define SYS_ENTER_GETCWD 1037 #define SYS_EXIT_GETCWD 1036 #define SYS_ENTER_UTIMENSAT 1035 #define SYS_EXIT_UTIMENSAT 1034 #define SYS_ENTER_FUTIMESAT 1033 #define SYS_EXIT_FUTIMESAT 1032 #define SYS_ENTER_SYNC 1027 #define SYS_EXIT_SYNC 1026 #define SYS_ENTER_SYNCFS 1025 #define SYS_EXIT_SYNCFS 1024 #define SYS_ENTER_FSYNC 1023 #define SYS_EXIT_FSYNC 1022 #define SYS_ENTER_FDATASYNC 1021 #define SYS_EXIT_FDATASYNC 1020 #define SYS_ENTER_SYNC_FILE_RANGE 1019 #define SYS_EXIT_SYNC_FILE_RANGE 1018 #define SYS_ENTER_VMSPLICE 1017 #define SYS_EXIT_VMSPLICE 1016 #define SYS_ENTER_SETXATTRAT 978 #define SYS_EXIT_SETXATTRAT 977 #define SYS_ENTER_SETXATTR 976 #define SYS_EXIT_SETXATTR 975 #define SYS_ENTER_LSETXATTR 974 #define SYS_EXIT_LSETXATTR 973 #define SYS_ENTER_FSETXATTR 972 #define SYS_EXIT_FSETXATTR 971 #define SYS_ENTER_GETXATTRAT 970 #define SYS_EXIT_GETXATTRAT 969 #define SYS_ENTER_GETXATTR 968 #define SYS_EXIT_GETXATTR 967 #define SYS_ENTER_LGETXATTR 966 #define SYS_EXIT_LGETXATTR 965 #define SYS_ENTER_FGETXATTR 964 #define SYS_EXIT_FGETXATTR 963 #define SYS_ENTER_LISTXATTRAT 962 #define SYS_EXIT_LISTXATTRAT 961 #define SYS_ENTER_LISTXATTR 960 #define SYS_EXIT_LISTXATTR 959 #define SYS_ENTER_LLISTXATTR 958 #define SYS_EXIT_LLISTXATTR 957 #define SYS_ENTER_FLISTXATTR 956 #define SYS_EXIT_FLISTXATTR 955 #define SYS_ENTER_REMOVEXATTRAT 954 #define SYS_EXIT_REMOVEXATTRAT 953 #define SYS_ENTER_REMOVEXATTR 952 #define SYS_EXIT_REMOVEXATTR 951 #define SYS_ENTER_LREMOVEXATTR 950 #define SYS_EXIT_LREMOVEXATTR 949 #define SYS_ENTER_FREMOVEXATTR 948 #define SYS_EXIT_FREMOVEXATTR 947 #define SYS_ENTER_OPEN_TREE 944 #define SYS_EXIT_OPEN_TREE 943 #define SYS_ENTER_MOUNT_SETATTR 934 #define SYS_EXIT_MOUNT_SETATTR 933 #define SYS_ENTER_OPEN_TREE_ATTR 932 #define SYS_EXIT_OPEN_TREE_ATTR 931 #define SYS_ENTER_CLOSE_RANGE 924 #define SYS_EXIT_CLOSE_RANGE 923 #define SYS_ENTER_DUP3 922 #define SYS_EXIT_DUP3 921 #define SYS_ENTER_DUP2 920 #define SYS_EXIT_DUP2 919 #define SYS_ENTER_DUP 918 #define SYS_EXIT_DUP 917 #define SYS_ENTER_GETDENTS 904 #define SYS_EXIT_GETDENTS 903 #define SYS_ENTER_GETDENTS64 902 #define SYS_EXIT_GETDENTS64 901 #define SYS_ENTER_IOCTL 900 #define SYS_EXIT_IOCTL 899 #define SYS_ENTER_FCNTL 898 #define SYS_EXIT_FCNTL 897 #define SYS_ENTER_MKDIRAT 892 #define SYS_EXIT_MKDIRAT 891 #define SYS_ENTER_MKDIR 890 #define SYS_EXIT_MKDIR 889 #define SYS_ENTER_RMDIR 888 #define SYS_EXIT_RMDIR 887 #define SYS_ENTER_UNLINKAT 886 #define SYS_EXIT_UNLINKAT 885 #define SYS_ENTER_UNLINK 884 #define SYS_EXIT_UNLINK 883 #define SYS_ENTER_SYMLINKAT 882 #define SYS_EXIT_SYMLINKAT 881 #define SYS_ENTER_SYMLINK 880 #define SYS_EXIT_SYMLINK 879 #define SYS_ENTER_LINKAT 878 #define SYS_EXIT_LINKAT 877 #define SYS_ENTER_LINK 876 #define SYS_EXIT_LINK 875 #define SYS_ENTER_RENAMEAT2 874 #define SYS_EXIT_RENAMEAT2 873 #define SYS_ENTER_RENAMEAT 872 #define SYS_EXIT_RENAMEAT 871 #define SYS_ENTER_RENAME 870 #define SYS_EXIT_RENAME 869 #define SYS_ENTER_NEWSTAT 860 #define SYS_EXIT_NEWSTAT 859 #define SYS_ENTER_NEWLSTAT 858 #define SYS_EXIT_NEWLSTAT 857 #define SYS_ENTER_NEWFSTATAT 856 #define SYS_EXIT_NEWFSTATAT 855 #define SYS_ENTER_NEWFSTAT 854 #define SYS_EXIT_NEWFSTAT 853 #define SYS_ENTER_READLINKAT 852 #define SYS_EXIT_READLINKAT 851 #define SYS_ENTER_READLINK 850 #define SYS_EXIT_READLINK 849 #define SYS_ENTER_STATX 848 #define SYS_EXIT_STATX 847 #define SYS_ENTER_LSEEK 846 #define SYS_EXIT_LSEEK 845 #define SYS_ENTER_READ 844 #define SYS_EXIT_READ 843 #define SYS_ENTER_WRITE 842 #define SYS_EXIT_WRITE 841 #define SYS_ENTER_PREAD64 840 #define SYS_EXIT_PREAD64 839 #define SYS_ENTER_PWRITE64 838 #define SYS_EXIT_PWRITE64 837 #define SYS_ENTER_READV 836 #define SYS_EXIT_READV 835 #define SYS_ENTER_WRITEV 834 #define SYS_EXIT_WRITEV 833 #define SYS_ENTER_PREADV 832 #define SYS_EXIT_PREADV 831 #define SYS_ENTER_PREADV2 830 #define SYS_EXIT_PREADV2 829 #define SYS_ENTER_PWRITEV 828 #define SYS_EXIT_PWRITEV 827 #define SYS_ENTER_PWRITEV2 826 #define SYS_EXIT_PWRITEV2 825 #define SYS_ENTER_COPY_FILE_RANGE 822 #define SYS_EXIT_COPY_FILE_RANGE 821 #define SYS_ENTER_TRUNCATE 820 #define SYS_EXIT_TRUNCATE 819 #define SYS_ENTER_FTRUNCATE 818 #define SYS_EXIT_FTRUNCATE 817 #define SYS_ENTER_FALLOCATE 816 #define SYS_EXIT_FALLOCATE 815 #define SYS_ENTER_FACCESSAT 814 #define SYS_EXIT_FACCESSAT 813 #define SYS_ENTER_FACCESSAT2 812 #define SYS_EXIT_FACCESSAT2 811 #define SYS_ENTER_ACCESS 810 #define SYS_EXIT_ACCESS 809 #define SYS_ENTER_CHDIR 808 #define SYS_EXIT_CHDIR 807 #define SYS_ENTER_FCHDIR 806 #define SYS_EXIT_FCHDIR 805 #define SYS_ENTER_CHROOT 804 #define SYS_EXIT_CHROOT 803 #define SYS_ENTER_FCHMOD 802 #define SYS_EXIT_FCHMOD 801 #define SYS_ENTER_FCHMODAT2 800 #define SYS_EXIT_FCHMODAT2 799 #define SYS_ENTER_FCHMODAT 798 #define SYS_EXIT_FCHMODAT 797 #define SYS_ENTER_CHMOD 796 #define SYS_EXIT_CHMOD 795 #define SYS_ENTER_FCHOWNAT 794 #define SYS_EXIT_FCHOWNAT 793 #define SYS_ENTER_CHOWN 792 #define SYS_EXIT_CHOWN 791 #define SYS_ENTER_LCHOWN 790 #define SYS_EXIT_LCHOWN 789 #define SYS_ENTER_FCHOWN 788 #define SYS_EXIT_FCHOWN 787 #define SYS_ENTER_OPEN 786 #define SYS_EXIT_OPEN 785 #define SYS_ENTER_OPENAT 784 #define SYS_EXIT_OPENAT 783 #define SYS_ENTER_OPENAT2 782 #define SYS_EXIT_OPENAT2 781 #define SYS_ENTER_CREAT 780 #define SYS_EXIT_CREAT 779 #define SYS_ENTER_CLOSE 778 #define SYS_EXIT_CLOSE 777 #define SYS_ENTER_MSYNC 707 #define SYS_EXIT_MSYNC 706 #define SYS_ENTER_READAHEAD 613 #define SYS_EXIT_READAHEAD 612 #define SYS_ENTER_FADVISE64 611 #define SYS_EXIT_FADVISE64 610 #define SYS_ENTER_CACHESTAT 592 #define SYS_EXIT_CACHESTAT 591 #define SYS_ENTER_FINIT_MODULE 403 #define SYS_EXIT_FINIT_MODULE 402 #define SYS_ENTER_SYSLOG 347 #define SYS_EXIT_SYSLOG 346 #define SYS_ENTER_PIDFD_GETFD 271 #define SYS_EXIT_PIDFD_GETFD 270 #define SYS_ENTER_MMAP 100 #define SYS_EXIT_MMAP 99 /// sys_enter_io_uring_register is a struct fd_event SEC("tracepoint/syscalls/sys_enter_io_uring_register") int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_uring_register is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_uring_register") int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_uring_enter is a struct fd_event SEC("tracepoint/syscalls/sys_enter_io_uring_enter") int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_uring_enter is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_uring_enter") int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_uring_setup is a struct null_event SEC("tracepoint/syscalls/sys_enter_io_uring_setup") int handle_sys_enter_io_uring_setup(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_URING_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_uring_setup is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_uring_setup") int handle_sys_exit_io_uring_setup(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_URING_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_quotactl_fd is a struct fd_event SEC("tracepoint/syscalls/sys_enter_quotactl_fd") int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_quotactl_fd is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_quotactl_fd") int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_name_to_handle_at is a struct path_event SEC("tracepoint/syscalls/sys_enter_name_to_handle_at") int handle_sys_enter_name_to_handle_at(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NAME_TO_HANDLE_AT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_name_to_handle_at is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_name_to_handle_at") int handle_sys_exit_name_to_handle_at(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NAME_TO_HANDLE_AT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_open_by_handle_at is a struct open_by_handle_at_event SEC("tracepoint/syscalls/sys_enter_open_by_handle_at") int handle_sys_enter_open_by_handle_at(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct open_by_handle_at_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_by_handle_at_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_BY_HANDLE_AT_EVENT; ev->trace_id = SYS_ENTER_OPEN_BY_HANDLE_AT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->flags = (__s32)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_open_by_handle_at is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_open_by_handle_at") int handle_sys_exit_open_by_handle_at(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPEN_BY_HANDLE_AT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_flock is a struct fd_event SEC("tracepoint/syscalls/sys_enter_flock") int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_flock is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_flock") int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_setup is a struct null_event SEC("tracepoint/syscalls/sys_enter_io_setup") int handle_sys_enter_io_setup(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_setup is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_setup") int handle_sys_exit_io_setup(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_destroy is a struct null_event SEC("tracepoint/syscalls/sys_enter_io_destroy") int handle_sys_enter_io_destroy(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_DESTROY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_destroy is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_destroy") int handle_sys_exit_io_destroy(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_DESTROY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_submit is a struct null_event SEC("tracepoint/syscalls/sys_enter_io_submit") int handle_sys_enter_io_submit(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_SUBMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_submit is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_submit") int handle_sys_exit_io_submit(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_SUBMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_cancel is a struct null_event SEC("tracepoint/syscalls/sys_enter_io_cancel") int handle_sys_enter_io_cancel(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_CANCEL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_cancel is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_cancel") int handle_sys_exit_io_cancel(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_CANCEL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_getevents is a struct null_event SEC("tracepoint/syscalls/sys_enter_io_getevents") int handle_sys_enter_io_getevents(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_GETEVENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_getevents is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_getevents") int handle_sys_exit_io_getevents(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_GETEVENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_io_pgetevents is a struct null_event SEC("tracepoint/syscalls/sys_enter_io_pgetevents") int handle_sys_enter_io_pgetevents(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_IO_PGETEVENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_io_pgetevents is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_io_pgetevents") int handle_sys_exit_io_pgetevents(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IO_PGETEVENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fanotify_mark is a struct path_event SEC("tracepoint/syscalls/sys_enter_fanotify_mark") int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FANOTIFY_MARK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fanotify_mark is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fanotify_mark") int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FANOTIFY_MARK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_file_getattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_file_getattr") int handle_sys_enter_file_getattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FILE_GETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_file_getattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_file_getattr") int handle_sys_exit_file_getattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FILE_GETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_file_setattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_file_setattr") int handle_sys_enter_file_setattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FILE_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_file_setattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_file_setattr") int handle_sys_exit_file_setattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FILE_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fspick is a struct path_event SEC("tracepoint/syscalls/sys_enter_fspick") int handle_sys_enter_fspick(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FSPICK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fspick is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fspick") int handle_sys_exit_fspick(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSPICK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fsconfig is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fsconfig") int handle_sys_enter_fsconfig(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FSCONFIG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fsconfig is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fsconfig") int handle_sys_exit_fsconfig(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSCONFIG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_statfs is a struct path_event SEC("tracepoint/syscalls/sys_enter_statfs") int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_statfs is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_statfs") int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fstatfs is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fstatfs") int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fstatfs is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fstatfs") int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getcwd is a struct null_event SEC("tracepoint/syscalls/sys_enter_getcwd") int handle_sys_enter_getcwd(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_GETCWD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getcwd is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_getcwd") int handle_sys_exit_getcwd(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETCWD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_utimensat is a struct path_event SEC("tracepoint/syscalls/sys_enter_utimensat") int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_utimensat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_utimensat") int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_futimesat is a struct path_event SEC("tracepoint/syscalls/sys_enter_futimesat") int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FUTIMESAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_futimesat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_futimesat") int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FUTIMESAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sync is a struct null_event SEC("tracepoint/syscalls/sys_enter_sync") int handle_sys_enter_sync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sync is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_sync") int handle_sys_exit_sync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_syncfs is a struct fd_event SEC("tracepoint/syscalls/sys_enter_syncfs") int handle_sys_enter_syncfs(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SYNCFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_syncfs is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_syncfs") int handle_sys_exit_syncfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYNCFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fsync is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fsync") int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fsync is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fsync") int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fdatasync is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fdatasync") int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fdatasync is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fdatasync") int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_sync_file_range is a struct fd_event SEC("tracepoint/syscalls/sys_enter_sync_file_range") int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_sync_file_range is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_sync_file_range") int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_vmsplice is a struct fd_event SEC("tracepoint/syscalls/sys_enter_vmsplice") int handle_sys_enter_vmsplice(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_VMSPLICE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_vmsplice is a struct ret_event (TRANSFER_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_vmsplice") int handle_sys_exit_vmsplice(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_VMSPLICE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = TRANSFER_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setxattrat is a struct path_event SEC("tracepoint/syscalls/sys_enter_setxattrat") int handle_sys_enter_setxattrat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_SETXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setxattrat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_setxattrat") int handle_sys_exit_setxattrat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_setxattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_setxattr") int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_setxattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_setxattr") int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lsetxattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_lsetxattr") int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lsetxattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_lsetxattr") int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fsetxattr is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fsetxattr") int handle_sys_enter_fsetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fsetxattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fsetxattr") int handle_sys_exit_fsetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getxattrat is a struct path_event SEC("tracepoint/syscalls/sys_enter_getxattrat") int handle_sys_enter_getxattrat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_GETXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_getxattrat") int handle_sys_exit_getxattrat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getxattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_getxattr") int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_GETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_getxattr") int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lgetxattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_lgetxattr") int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LGETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lgetxattr is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_lgetxattr") int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LGETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fgetxattr is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fgetxattr") int handle_sys_enter_fgetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FGETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fgetxattr is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fgetxattr") int handle_sys_exit_fgetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FGETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_listxattrat is a struct path_event SEC("tracepoint/syscalls/sys_enter_listxattrat") int handle_sys_enter_listxattrat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LISTXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_listxattrat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_listxattrat") int handle_sys_exit_listxattrat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LISTXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_listxattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_listxattr") int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_listxattr is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_listxattr") int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_llistxattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_llistxattr") int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LLISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_llistxattr is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_llistxattr") int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LLISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_flistxattr is a struct fd_event SEC("tracepoint/syscalls/sys_enter_flistxattr") int handle_sys_enter_flistxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FLISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_flistxattr is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_flistxattr") int handle_sys_exit_flistxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FLISTXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_removexattrat is a struct path_event SEC("tracepoint/syscalls/sys_enter_removexattrat") int handle_sys_enter_removexattrat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_REMOVEXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_removexattrat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_removexattrat") int handle_sys_exit_removexattrat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_REMOVEXATTRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_removexattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_removexattr") int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_REMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_removexattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_removexattr") int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_REMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lremovexattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_lremovexattr") int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lremovexattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_lremovexattr") int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fremovexattr is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fremovexattr") int handle_sys_enter_fremovexattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fremovexattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fremovexattr") int handle_sys_exit_fremovexattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_open_tree is a struct open_event SEC("tracepoint/syscalls/sys_enter_open_tree") int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPEN_TREE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_open_tree is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_open_tree") int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPEN_TREE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mount_setattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_mount_setattr") int handle_sys_enter_mount_setattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MOUNT_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mount_setattr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_mount_setattr") int handle_sys_exit_mount_setattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MOUNT_SETATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_open_tree_attr is a struct open_event SEC("tracepoint/syscalls/sys_enter_open_tree_attr") int handle_sys_enter_open_tree_attr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPEN_TREE_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_open_tree_attr is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_open_tree_attr") int handle_sys_exit_open_tree_attr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPEN_TREE_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_close_range is a struct fd_event SEC("tracepoint/syscalls/sys_enter_close_range") int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_CLOSE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_close_range is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_close_range") int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOSE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_dup3 is a struct dup3_event SEC("tracepoint/syscalls/sys_enter_dup3") int handle_sys_enter_dup3(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct dup3_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct dup3_event), 0); if (!ev) return 0; ev->event_type = ENTER_DUP3_EVENT; ev->trace_id = SYS_ENTER_DUP3; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; ev->flags = (__s32)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_dup3") int handle_sys_exit_dup3(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_DUP3; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_dup2 is a struct fd_event SEC("tracepoint/syscalls/sys_enter_dup2") int handle_sys_enter_dup2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_DUP2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_dup2") int handle_sys_exit_dup2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_DUP2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_dup is a struct fd_event SEC("tracepoint/syscalls/sys_enter_dup") int handle_sys_enter_dup(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_DUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_dup is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_dup") int handle_sys_exit_dup(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_DUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getdents is a struct fd_event SEC("tracepoint/syscalls/sys_enter_getdents") int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getdents is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_getdents") int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_getdents64 is a struct fd_event SEC("tracepoint/syscalls/sys_enter_getdents64") int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_getdents64 is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_getdents64") int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ioctl is a struct fd_event SEC("tracepoint/syscalls/sys_enter_ioctl") int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ioctl is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_ioctl") int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fcntl is a struct fcntl_event SEC("tracepoint/syscalls/sys_enter_fcntl") int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); if (!ev) return 0; ev->event_type = ENTER_FCNTL_EVENT; ev->trace_id = SYS_ENTER_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = ctx->args[0]; ev->cmd = ctx->args[1]; ev->arg = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fcntl is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fcntl") int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mkdirat is a struct path_event SEC("tracepoint/syscalls/sys_enter_mkdirat") int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mkdirat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_mkdirat") int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mkdir is a struct path_event SEC("tracepoint/syscalls/sys_enter_mkdir") int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mkdir is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_mkdir") int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rmdir is a struct path_event SEC("tracepoint/syscalls/sys_enter_rmdir") int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_RMDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rmdir is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_rmdir") int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RMDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_unlinkat is a struct path_event SEC("tracepoint/syscalls/sys_enter_unlinkat") int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UNLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_unlinkat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_unlinkat") int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UNLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_unlink is a struct path_event SEC("tracepoint/syscalls/sys_enter_unlink") int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_unlink is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_unlink") int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_symlinkat is a struct name_event SEC("tracepoint/syscalls/sys_enter_symlinkat") int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_symlinkat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_symlinkat") int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_symlink is a struct name_event SEC("tracepoint/syscalls/sys_enter_symlink") int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_symlink is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_symlink") int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_linkat is a struct name_event SEC("tracepoint/syscalls/sys_enter_linkat") int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_linkat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_linkat") int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_link is a struct name_event SEC("tracepoint/syscalls/sys_enter_link") int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_LINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_link is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_link") int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_renameat2 is a struct name_event SEC("tracepoint/syscalls/sys_enter_renameat2") int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_renameat2 is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_renameat2") int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_renameat is a struct name_event SEC("tracepoint/syscalls/sys_enter_renameat") int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_renameat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_renameat") int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_rename is a struct name_event SEC("tracepoint/syscalls/sys_enter_rename") int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; ev->event_type = ENTER_NAME_EVENT; ev->trace_id = SYS_ENTER_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_rename is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_rename") int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newstat is a struct path_event SEC("tracepoint/syscalls/sys_enter_newstat") int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newstat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_newstat") int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newlstat is a struct path_event SEC("tracepoint/syscalls/sys_enter_newlstat") int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newlstat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_newlstat") int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newfstatat is a struct path_event SEC("tracepoint/syscalls/sys_enter_newfstatat") int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_NEWFSTATAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newfstatat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_newfstatat") int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWFSTATAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_newfstat is a struct fd_event SEC("tracepoint/syscalls/sys_enter_newfstat") int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_NEWFSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_newfstat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_newfstat") int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_NEWFSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_readlinkat is a struct path_event SEC("tracepoint/syscalls/sys_enter_readlinkat") int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_readlinkat is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_readlinkat") int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_readlink is a struct path_event SEC("tracepoint/syscalls/sys_enter_readlink") int handle_sys_enter_readlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_READLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_readlink is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_readlink") int handle_sys_exit_readlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_statx is a struct path_event SEC("tracepoint/syscalls/sys_enter_statx") int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_statx is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_statx") int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lseek is a struct fd_event SEC("tracepoint/syscalls/sys_enter_lseek") int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lseek is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_lseek") int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_read is a struct fd_event SEC("tracepoint/syscalls/sys_enter_read") int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_read is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_read") int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_write is a struct fd_event SEC("tracepoint/syscalls/sys_enter_write") int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_write is a struct ret_event (WRITE_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_write") int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pread64 is a struct fd_event SEC("tracepoint/syscalls/sys_enter_pread64") int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pread64 is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_pread64") int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pwrite64 is a struct fd_event SEC("tracepoint/syscalls/sys_enter_pwrite64") int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pwrite64 is a struct ret_event (WRITE_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_pwrite64") int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_readv is a struct fd_event SEC("tracepoint/syscalls/sys_enter_readv") int handle_sys_enter_readv(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_READV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_readv is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_readv") int handle_sys_exit_readv(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_writev is a struct fd_event SEC("tracepoint/syscalls/sys_enter_writev") int handle_sys_enter_writev(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_WRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_writev is a struct ret_event (WRITE_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_writev") int handle_sys_exit_writev(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_WRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_preadv is a struct fd_event SEC("tracepoint/syscalls/sys_enter_preadv") int handle_sys_enter_preadv(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PREADV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_preadv is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_preadv") int handle_sys_exit_preadv(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PREADV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_preadv2 is a struct fd_event SEC("tracepoint/syscalls/sys_enter_preadv2") int handle_sys_enter_preadv2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PREADV2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_preadv2 is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_preadv2") int handle_sys_exit_preadv2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PREADV2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pwritev is a struct fd_event SEC("tracepoint/syscalls/sys_enter_pwritev") int handle_sys_enter_pwritev(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PWRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pwritev is a struct ret_event (WRITE_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_pwritev") int handle_sys_exit_pwritev(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PWRITEV; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pwritev2 is a struct fd_event SEC("tracepoint/syscalls/sys_enter_pwritev2") int handle_sys_enter_pwritev2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PWRITEV2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pwritev2 is a struct ret_event (WRITE_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_pwritev2") int handle_sys_exit_pwritev2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PWRITEV2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_copy_file_range is a struct fd_event SEC("tracepoint/syscalls/sys_enter_copy_file_range") int handle_sys_enter_copy_file_range(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_COPY_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_copy_file_range is a struct ret_event (TRANSFER_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_copy_file_range") int handle_sys_exit_copy_file_range(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_COPY_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = TRANSFER_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_truncate is a struct path_event SEC("tracepoint/syscalls/sys_enter_truncate") int handle_sys_enter_truncate(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_TRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_truncate is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_truncate") int handle_sys_exit_truncate(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_TRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_ftruncate is a struct fd_event SEC("tracepoint/syscalls/sys_enter_ftruncate") int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_ftruncate is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_ftruncate") int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fallocate is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fallocate") int handle_sys_enter_fallocate(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FALLOCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fallocate is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fallocate") int handle_sys_exit_fallocate(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FALLOCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_faccessat is a struct path_event SEC("tracepoint/syscalls/sys_enter_faccessat") int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_faccessat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_faccessat") int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_faccessat2 is a struct path_event SEC("tracepoint/syscalls/sys_enter_faccessat2") int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_faccessat2 is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_faccessat2") int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_access is a struct path_event SEC("tracepoint/syscalls/sys_enter_access") int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_access is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_access") int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_chdir is a struct path_event SEC("tracepoint/syscalls/sys_enter_chdir") int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_chdir is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_chdir") int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchdir is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fchdir") int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchdir is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fchdir") int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_chroot is a struct path_event SEC("tracepoint/syscalls/sys_enter_chroot") int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_chroot is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_chroot") int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchmod is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fchmod") int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchmod is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fchmod") int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchmodat2 is a struct path_event SEC("tracepoint/syscalls/sys_enter_fchmodat2") int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchmodat2 is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fchmodat2") int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchmodat is a struct path_event SEC("tracepoint/syscalls/sys_enter_fchmodat") int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchmodat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fchmodat") int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_chmod is a struct path_event SEC("tracepoint/syscalls/sys_enter_chmod") int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_chmod is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_chmod") int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchownat is a struct path_event SEC("tracepoint/syscalls/sys_enter_fchownat") int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchownat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fchownat") int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_chown is a struct path_event SEC("tracepoint/syscalls/sys_enter_chown") int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_chown is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_chown") int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_lchown is a struct path_event SEC("tracepoint/syscalls/sys_enter_lchown") int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_lchown is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_lchown") int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fchown is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fchown") int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fchown is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fchown") int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_open is a struct open_event SEC("tracepoint/syscalls/sys_enter_open") int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[1]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_open is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_open") int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_openat is a struct open_event SEC("tracepoint/syscalls/sys_enter_openat") int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_openat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_openat") int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_openat2 is a struct open_event SEC("tracepoint/syscalls/sys_enter_openat2") int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; ev->event_type = ENTER_OPEN_EVENT; ev->trace_id = SYS_ENTER_OPENAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); ev->flags = -1; // Probably OK bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_openat2 is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_openat2") int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_OPENAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_creat is a struct path_event SEC("tracepoint/syscalls/sys_enter_creat") int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_CREAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_creat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_creat") int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CREAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_close is a struct fd_event SEC("tracepoint/syscalls/sys_enter_close") int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_close is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_close") int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_msync is a struct null_event SEC("tracepoint/syscalls/sys_enter_msync") int handle_sys_enter_msync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_MSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_msync is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_msync") int handle_sys_exit_msync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_readahead is a struct fd_event SEC("tracepoint/syscalls/sys_enter_readahead") int handle_sys_enter_readahead(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_READAHEAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_readahead is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_readahead") int handle_sys_exit_readahead(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_READAHEAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_fadvise64 is a struct fd_event SEC("tracepoint/syscalls/sys_enter_fadvise64") int handle_sys_enter_fadvise64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FADVISE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_fadvise64 is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_fadvise64") int handle_sys_exit_fadvise64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FADVISE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_cachestat is a struct fd_event SEC("tracepoint/syscalls/sys_enter_cachestat") int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_CACHESTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_cachestat is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_cachestat") int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_CACHESTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_finit_module is a struct fd_event SEC("tracepoint/syscalls/sys_enter_finit_module") int handle_sys_enter_finit_module(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_FINIT_MODULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_finit_module is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_finit_module") int handle_sys_exit_finit_module(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_FINIT_MODULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_syslog is a struct null_event SEC("tracepoint/syscalls/sys_enter_syslog") int handle_sys_enter_syslog(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; ev->event_type = ENTER_NULL_EVENT; ev->trace_id = SYS_ENTER_SYSLOG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_syslog is a struct ret_event (READ_CLASSIFIED) SEC("tracepoint/syscalls/sys_exit_syslog") int handle_sys_exit_syslog(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_SYSLOG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_pidfd_getfd is a struct fd_event SEC("tracepoint/syscalls/sys_enter_pidfd_getfd") int handle_sys_enter_pidfd_getfd(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PIDFD_GETFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_pidfd_getfd") int handle_sys_exit_pidfd_getfd(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_PIDFD_GETFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_enter_mmap is a struct fd_event SEC("tracepoint/syscalls/sys_enter_mmap") int handle_sys_enter_mmap(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_MMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->fd = (__s32)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; } /// sys_exit_mmap is a struct ret_event (UNCLASSIFIED) SEC("tracepoint/syscalls/sys_exit_mmap") int handle_sys_exit_mmap(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; ev->event_type = EXIT_RET_EVENT; ev->trace_id = SYS_EXIT_MMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; }