internal/generate/kindregistry.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

package generate

// kindMeta holds static metadata for a TracepointKind. Adding a new kind
// only requires registering an entry here — no switch statements need to be
// updated elsewhere (Open/Closed Principle).
type kindMeta struct {
	// structName is the C struct name used in generated BPF handlers, e.g. "fd_event".
	structName string
	// enterAccepted reports whether this kind is valid for a syscall-enter tracepoint.
	// Kinds that are exit-only (e.g. KindRet) must not appear on enter.
	enterAccepted bool
}

// kindRegistry maps every known TracepointKind to its static metadata.
// To add a new syscall classification, add a single entry here; the rest of
// the code (isEnterRejected, eventStructName, eventTypeConstant) picks it up
// automatically via lookupKind.
var kindRegistry = map[TracepointKind]kindMeta{
	KindFd:             {structName: "fd_event", enterAccepted: true},
	KindOpen:           {structName: "open_event", enterAccepted: true},
	KindMqOpen:         {structName: "open_event", enterAccepted: true},
	KindExec:           {structName: "exec_event", enterAccepted: true},
	KindPathname:       {structName: "path_event", enterAccepted: true},
	KindName:           {structName: "name_event", enterAccepted: true},
	KindRet:            {structName: "ret_event", enterAccepted: false},
	KindFcntl:          {structName: "fcntl_event", enterAccepted: true},
	KindNull:           {structName: "null_event", enterAccepted: true},
	KindDup3:           {structName: "dup3_event", enterAccepted: true},
	KindOpenByHandleAt: {structName: "open_by_handle_at_event", enterAccepted: true},
	KindSocket:         {structName: "socket_event", enterAccepted: true},
	KindSocketpair:     {structName: "socketpair_event", enterAccepted: true},
	KindAccept:         {structName: "accept_event", enterAccepted: true},
	KindPipe:           {structName: "pipe_event", enterAccepted: true},
	KindEventfd:        {structName: "eventfd_event", enterAccepted: true},
	KindPidfd:          {structName: "eventfd_event", enterAccepted: true},
	KindEpollCtl:       {structName: "epoll_ctl_event", enterAccepted: true},
	KindTwoFd:          {structName: "two_fd_event", enterAccepted: true},
	KindPoll:           {structName: "poll_event", enterAccepted: true},
	KindMem:            {structName: "mem_event", enterAccepted: true},
	KindSleep:          {structName: "sleep_event", enterAccepted: true},
	KindKeyctl:         {structName: "keyctl_event", enterAccepted: true},
	KindPtrace:         {structName: "ptrace_event", enterAccepted: true},
	KindPerfOpen:       {structName: "perf_open_event", enterAccepted: true},
	KindSeccomp:        {structName: "null_event", enterAccepted: true},
	KindModule:         {structName: "null_event", enterAccepted: true},
	KindSysVId:         {structName: "null_event", enterAccepted: true},
	KindSysVOp:         {structName: "null_event", enterAccepted: true},
	KindProc:           {structName: "null_event", enterAccepted: true},
	KindBpf:            {structName: "null_event", enterAccepted: true},
	KindFutex:          {structName: "null_event", enterAccepted: true},
	KindPrctl:          {structName: "null_event", enterAccepted: true},
	KindTimerObj:       {structName: "null_event", enterAccepted: true},
	// KindNone is intentionally absent: it represents "unclassified" and is
	// never enter-accepted. lookupKind returns the zero kindMeta (enterAccepted=false)
	// for any unregistered kind, so KindNone is implicitly rejected.
}

// lookupKind returns the metadata for kind. If kind is not registered (e.g.
// KindNone or an unknown value), it returns a zero kindMeta whose structName
// is "unknown_event" and enterAccepted is false.
func lookupKind(kind TracepointKind) kindMeta {
	if m, ok := kindRegistry[kind]; ok {
		return m
	}
	return kindMeta{structName: "unknown_event", enterAccepted: false}
}