Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ErrLog-4.8-1.txt
This file has been truncated, but you can view the full file.
INFO:check_bpf_jit_status: ENABLED.
>>>>> Generated eBPF code <<<<<
/*
* Copyright 2016-2017, Intel Corporation
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* * Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* trace_head.c -- The head for generated eBPF code. Uses BCC, eBPF.
*/
#include <uapi/linux/ptrace.h>
#include <uapi/linux/limits.h>
#include <linux/sched.h>
/*
* trace.h -- Data exchange packet between packet filter and reader callback
*/
#ifndef TRACE_H
#define TRACE_H
/*
* The longest syscall's name is equal to 26 characters:
* 'SyS_sched_get_priority_max'.
* Let's to add a space for '\0' and few extra bytes.
*/
enum { E_SC_NAME_SIZE = 32 };
struct ev_dt_t {
/*
* This fild is set for glibc-defined syscalls and describe
* a series of packets for every syscall.
*
* It is needed because we are limited with stack size of
* 512 bytes and used part of stack is initilaized with zeros
* on every call of syscall handlers.
*
* the value equals to 0 means that this is "single-packet" syscall
* and there will be no additional packets sent.
* the value bigger than 0 means that this is a first packet and there
* will be sent 'packet_type' more additional packets.
* the value less than 0 means that this is additional packet with
* serial number 'packet_type'.
*
* Content of additional packets is defined by syscall number in
* first packet. There are no additional packets for "sc_id == -2"
*/
s64 packet_type;
/*
* Syscall's signature. All packets with same signature belongs to same
* call of same syscall. We need two timestamps here, because we
* can get nesting of syscalls from same pid_tid by calling syscall
* from signal handler, before syscall called from main context has
* returned.
*
* XXX By the fact sc_id is not neaded here, but its presence simplifies
* a lot of processing, so let's keep it here.
*/
struct {
u64 pid_tid;
/* Timestamps */
u64 start_ts_nsec;
u64 finish_ts_nsec;
/*
* the value equals to -1 means "header"
*
* the value equals to -2 means that syscall's num is
* unknown for glibc and the field sc_name should be
* used to figuring out syscall.
*/
s64 sc_id;
};
union {
/* Body of first packet */
struct {
s64 ret;
s64 arg_1;
s64 arg_2;
s64 arg_3;
s64 arg_4;
s64 arg_5;
s64 arg_6;
union {
/* should be last in this structure */
char sc_name[E_SC_NAME_SIZE];
/*
* Body of string argument. The content and
* meaning of argument is defined by
* syscall's number in the sc_id field.
*/
char aux_str[1]; /* NAME_MAX */
};
};
/* Body of header */
struct {
s64 argc;
char argv[];
} header;
/*
* Body of string argument. The content and meaning of argument
* is defined by syscall's number (in the first packet) in
* the sc_id field.
*/
char str[1]; /* NAME_MAX */
};
};
#endif /* TRACE_H */
struct first_step_t {
s64 arg_1;
s64 arg_2;
s64 arg_3;
s64 arg_4;
s64 arg_5;
s64 arg_6;
u64 start_ts_nsec;
};
/* The set of our children_pid */
BPF_HASH(children_map, u64, u64);
BPF_HASH(tmp_i, u64, struct first_step_t);
BPF_PERF_OUTPUT(events);
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_read -- SyS_read() entry handler
*/
int
kprobe__SyS_read(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_read -- SyS_read() exit handler
*/
int
kretprobe__SyS_read(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_read; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_write -- SyS_write() entry handler
*/
int
kprobe__SyS_write(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_write -- SyS_write() exit handler
*/
int
kretprobe__SyS_write(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_write; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and
* filename as first argument. Single-packet version. Uses BCC, eBPF.
*/
/*
* kprobe__SyS_open -- SyS_open() entry handler
*/
int
kprobe__SyS_open(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_open -- SyS_open() exit handler
*/
int
kretprobe__SyS_open(struct pt_regs *ctx)
{
struct first_step_t *fsp;
enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX };
union {
struct ev_dt_t ev;
char _pad[_pad_size];
} u;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
u.ev.packet_type = 0; /* No additional packets */
u.ev.sc_id = __NR_open; /* SysCall ID */
u.ev.arg_1 = fsp->arg_1;
u.ev.arg_2 = fsp->arg_2;
u.ev.arg_3 = fsp->arg_3;
u.ev.arg_4 = fsp->arg_4;
u.ev.arg_5 = fsp->arg_5;
u.ev.arg_6 = fsp->arg_6;
u.ev.pid_tid = pid_tid;
u.ev.start_ts_nsec = fsp->start_ts_nsec;
u.ev.finish_ts_nsec = cur_nsec;
u.ev.ret = PT_REGS_RC(ctx);
bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1);
events.perf_submit(ctx, &u.ev, _pad_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_close -- SyS_close() entry handler
*/
int
kprobe__SyS_close(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_close -- SyS_close() exit handler
*/
int
kretprobe__SyS_close(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_close; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and
* filename as first argument. Single-packet version. Uses BCC, eBPF.
*/
/*
* kprobe__SyS_newstat -- SyS_newstat() entry handler
*/
int
kprobe__SyS_newstat(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_newstat -- SyS_newstat() exit handler
*/
int
kretprobe__SyS_newstat(struct pt_regs *ctx)
{
struct first_step_t *fsp;
enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX };
union {
struct ev_dt_t ev;
char _pad[_pad_size];
} u;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
u.ev.packet_type = 0; /* No additional packets */
u.ev.sc_id = __NR_stat; /* SysCall ID */
u.ev.arg_1 = fsp->arg_1;
u.ev.arg_2 = fsp->arg_2;
u.ev.arg_3 = fsp->arg_3;
u.ev.arg_4 = fsp->arg_4;
u.ev.arg_5 = fsp->arg_5;
u.ev.arg_6 = fsp->arg_6;
u.ev.pid_tid = pid_tid;
u.ev.start_ts_nsec = fsp->start_ts_nsec;
u.ev.finish_ts_nsec = cur_nsec;
u.ev.ret = PT_REGS_RC(ctx);
bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1);
events.perf_submit(ctx, &u.ev, _pad_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_newfstat -- SyS_newfstat() entry handler
*/
int
kprobe__SyS_newfstat(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_newfstat -- SyS_newfstat() exit handler
*/
int
kretprobe__SyS_newfstat(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_fstat; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and
* filename as first argument. Single-packet version. Uses BCC, eBPF.
*/
/*
* kprobe__SyS_newlstat -- SyS_newlstat() entry handler
*/
int
kprobe__SyS_newlstat(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_newlstat -- SyS_newlstat() exit handler
*/
int
kretprobe__SyS_newlstat(struct pt_regs *ctx)
{
struct first_step_t *fsp;
enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX };
union {
struct ev_dt_t ev;
char _pad[_pad_size];
} u;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
u.ev.packet_type = 0; /* No additional packets */
u.ev.sc_id = __NR_lstat; /* SysCall ID */
u.ev.arg_1 = fsp->arg_1;
u.ev.arg_2 = fsp->arg_2;
u.ev.arg_3 = fsp->arg_3;
u.ev.arg_4 = fsp->arg_4;
u.ev.arg_5 = fsp->arg_5;
u.ev.arg_6 = fsp->arg_6;
u.ev.pid_tid = pid_tid;
u.ev.start_ts_nsec = fsp->start_ts_nsec;
u.ev.finish_ts_nsec = cur_nsec;
u.ev.ret = PT_REGS_RC(ctx);
bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1);
events.perf_submit(ctx, &u.ev, _pad_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_poll -- SyS_poll() entry handler
*/
int
kprobe__SyS_poll(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_poll -- SyS_poll() exit handler
*/
int
kretprobe__SyS_poll(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_poll; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_lseek -- SyS_lseek() entry handler
*/
int
kprobe__SyS_lseek(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_lseek -- SyS_lseek() exit handler
*/
int
kretprobe__SyS_lseek(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_lseek; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_mmap -- SyS_mmap() entry handler
*/
int
kprobe__SyS_mmap(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_mmap -- SyS_mmap() exit handler
*/
int
kretprobe__SyS_mmap(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_mmap; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_mprotect -- SyS_mprotect() entry handler
*/
int
kprobe__SyS_mprotect(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_mprotect -- SyS_mprotect() exit handler
*/
int
kretprobe__SyS_mprotect(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_mprotect; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_munmap -- SyS_munmap() entry handler
*/
int
kprobe__SyS_munmap(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_munmap -- SyS_munmap() exit handler
*/
int
kretprobe__SyS_munmap(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_munmap; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_brk -- SyS_brk() entry handler
*/
int
kprobe__SyS_brk(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_brk -- SyS_brk() exit handler
*/
int
kretprobe__SyS_brk(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_brk; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_rt_sigaction -- SyS_rt_sigaction() entry handler
*/
int
kprobe__SyS_rt_sigaction(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_rt_sigaction -- SyS_rt_sigaction() exit handler
*/
int
kretprobe__SyS_rt_sigaction(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_rt_sigaction; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_rt_sigprocmask -- SyS_rt_sigprocmask() entry handler
*/
int
kprobe__SyS_rt_sigprocmask(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_rt_sigprocmask -- SyS_rt_sigprocmask() exit handler
*/
int
kretprobe__SyS_rt_sigprocmask(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_rt_sigprocmask; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__sys_rt_sigreturn -- sys_rt_sigreturn() entry handler
*/
int
kprobe__sys_rt_sigreturn(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__sys_rt_sigreturn -- sys_rt_sigreturn() exit handler
*/
int
kretprobe__sys_rt_sigreturn(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_rt_sigreturn; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_ioctl -- SyS_ioctl() entry handler
*/
int
kprobe__SyS_ioctl(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_ioctl -- SyS_ioctl() exit handler
*/
int
kretprobe__SyS_ioctl(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_ioctl; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_pread64 -- SyS_pread64() entry handler
*/
int
kprobe__SyS_pread64(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_pread64 -- SyS_pread64() exit handler
*/
int
kretprobe__SyS_pread64(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_pread64; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_pwrite64 -- SyS_pwrite64() entry handler
*/
int
kprobe__SyS_pwrite64(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_pwrite64 -- SyS_pwrite64() exit handler
*/
int
kretprobe__SyS_pwrite64(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_pwrite64; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_readv -- SyS_readv() entry handler
*/
int
kprobe__SyS_readv(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_readv -- SyS_readv() exit handler
*/
int
kretprobe__SyS_readv(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_readv; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_writev -- SyS_writev() entry handler
*/
int
kprobe__SyS_writev(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_writev -- SyS_writev() exit handler
*/
int
kretprobe__SyS_writev(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_writev; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and
* filename as first argument. Single-packet version. Uses BCC, eBPF.
*/
/*
* kprobe__SyS_access -- SyS_access() entry handler
*/
int
kprobe__SyS_access(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_access -- SyS_access() exit handler
*/
int
kretprobe__SyS_access(struct pt_regs *ctx)
{
struct first_step_t *fsp;
enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX };
union {
struct ev_dt_t ev;
char _pad[_pad_size];
} u;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
u.ev.packet_type = 0; /* No additional packets */
u.ev.sc_id = __NR_access; /* SysCall ID */
u.ev.arg_1 = fsp->arg_1;
u.ev.arg_2 = fsp->arg_2;
u.ev.arg_3 = fsp->arg_3;
u.ev.arg_4 = fsp->arg_4;
u.ev.arg_5 = fsp->arg_5;
u.ev.arg_6 = fsp->arg_6;
u.ev.pid_tid = pid_tid;
u.ev.start_ts_nsec = fsp->start_ts_nsec;
u.ev.finish_ts_nsec = cur_nsec;
u.ev.ret = PT_REGS_RC(ctx);
bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1);
events.perf_submit(ctx, &u.ev, _pad_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_pipe -- SyS_pipe() entry handler
*/
int
kprobe__SyS_pipe(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_pipe -- SyS_pipe() exit handler
*/
int
kretprobe__SyS_pipe(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_pipe; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_select -- SyS_select() entry handler
*/
int
kprobe__SyS_select(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_select -- SyS_select() exit handler
*/
int
kretprobe__SyS_select(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_select; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__sys_sched_yield -- sys_sched_yield() entry handler
*/
int
kprobe__sys_sched_yield(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__sys_sched_yield -- sys_sched_yield() exit handler
*/
int
kretprobe__sys_sched_yield(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_sched_yield; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_mremap -- SyS_mremap() entry handler
*/
int
kprobe__SyS_mremap(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_mremap -- SyS_mremap() exit handler
*/
int
kretprobe__SyS_mremap(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_mremap; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_msync -- SyS_msync() entry handler
*/
int
kprobe__SyS_msync(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_msync -- SyS_msync() exit handler
*/
int
kretprobe__SyS_msync(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_msync; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_mincore -- SyS_mincore() entry handler
*/
int
kprobe__SyS_mincore(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_mincore -- SyS_mincore() exit handler
*/
int
kretprobe__SyS_mincore(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_mincore; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_madvise -- SyS_madvise() entry handler
*/
int
kprobe__SyS_madvise(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_madvise -- SyS_madvise() exit handler
*/
int
kretprobe__SyS_madvise(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_madvise; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_shmget -- SyS_shmget() entry handler
*/
int
kprobe__SyS_shmget(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_shmget -- SyS_shmget() exit handler
*/
int
kretprobe__SyS_shmget(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_shmget; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_shmat -- SyS_shmat() entry handler
*/
int
kprobe__SyS_shmat(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_shmat -- SyS_shmat() exit handler
*/
int
kretprobe__SyS_shmat(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_shmat; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_shmctl -- SyS_shmctl() entry handler
*/
int
kprobe__SyS_shmctl(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_shmctl -- SyS_shmctl() exit handler
*/
int
kretprobe__SyS_shmctl(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_shmctl; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_dup -- SyS_dup() entry handler
*/
int
kprobe__SyS_dup(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_dup -- SyS_dup() exit handler
*/
int
kretprobe__SyS_dup(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_dup; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_dup2 -- SyS_dup2() entry handler
*/
int
kprobe__SyS_dup2(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_dup2 -- SyS_dup2() exit handler
*/
int
kretprobe__SyS_dup2(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_dup2; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__sys_pause -- sys_pause() entry handler
*/
int
kprobe__sys_pause(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__sys_pause -- sys_pause() exit handler
*/
int
kretprobe__sys_pause(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_pause; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_nanosleep -- SyS_nanosleep() entry handler
*/
int
kprobe__SyS_nanosleep(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_nanosleep -- SyS_nanosleep() exit handler
*/
int
kretprobe__SyS_nanosleep(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_nanosleep; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_getitimer -- SyS_getitimer() entry handler
*/
int
kprobe__SyS_getitimer(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_getitimer -- SyS_getitimer() exit handler
*/
int
kretprobe__SyS_getitimer(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_getitimer; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_alarm -- SyS_alarm() entry handler
*/
int
kprobe__SyS_alarm(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_alarm -- SyS_alarm() exit handler
*/
int
kretprobe__SyS_alarm(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_alarm; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_setitimer -- SyS_setitimer() entry handler
*/
int
kprobe__SyS_setitimer(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_setitimer -- SyS_setitimer() exit handler
*/
int
kretprobe__SyS_setitimer(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_setitimer; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__sys_getpid -- sys_getpid() entry handler
*/
int
kprobe__sys_getpid(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__sys_getpid -- sys_getpid() exit handler
*/
int
kretprobe__sys_getpid(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_getpid; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_sendfile -- SyS_sendfile() entry handler
*/
int
kprobe__SyS_sendfile(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_sendfile -- SyS_sendfile() exit handler
*/
int
kretprobe__SyS_sendfile(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_sendfile; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_socket -- SyS_socket() entry handler
*/
int
kprobe__SyS_socket(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_socket -- SyS_socket() exit handler
*/
int
kretprobe__SyS_socket(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_socket; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_connect -- SyS_connect() entry handler
*/
int
kprobe__SyS_connect(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_connect -- SyS_connect() exit handler
*/
int
kretprobe__SyS_connect(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_connect; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_accept -- SyS_accept() entry handler
*/
int
kprobe__SyS_accept(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_accept -- SyS_accept() exit handler
*/
int
kretprobe__SyS_accept(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_accept; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_sendto -- SyS_sendto() entry handler
*/
int
kprobe__SyS_sendto(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_sendto -- SyS_sendto() exit handler
*/
int
kretprobe__SyS_sendto(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_sendto; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_recvfrom -- SyS_recvfrom() entry handler
*/
int
kprobe__SyS_recvfrom(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_recvfrom -- SyS_recvfrom() exit handler
*/
int
kretprobe__SyS_recvfrom(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_recvfrom; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_sendmsg -- SyS_sendmsg() entry handler
*/
int
kprobe__SyS_sendmsg(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_sendmsg -- SyS_sendmsg() exit handler
*/
int
kretprobe__SyS_sendmsg(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_sendmsg; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_recvmsg -- SyS_recvmsg() entry handler
*/
int
kprobe__SyS_recvmsg(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_recvmsg -- SyS_recvmsg() exit handler
*/
int
kretprobe__SyS_recvmsg(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_recvmsg; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_shutdown -- SyS_shutdown() entry handler
*/
int
kprobe__SyS_shutdown(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_shutdown -- SyS_shutdown() exit handler
*/
int
kretprobe__SyS_shutdown(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_shutdown; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_bind -- SyS_bind() entry handler
*/
int
kprobe__SyS_bind(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);
return 0;
};
/*
* kretprobe__SyS_bind -- SyS_bind() exit handler
*/
int
kretprobe__SyS_bind(struct pt_regs *ctx)
{
struct first_step_t *fsp;
struct ev_dt_t ev;
u64 cur_nsec = bpf_ktime_get_ns();
u64 pid_tid = bpf_get_current_pid_tgid();
fsp = tmp_i.lookup(&pid_tid);
if (fsp == 0)
return 0;
ev.packet_type = 0; /* No additional packets */
ev.sc_id = __NR_bind; /* SysCall ID */
ev.arg_1 = fsp->arg_1;
ev.arg_2 = fsp->arg_2;
ev.arg_3 = fsp->arg_3;
ev.arg_4 = fsp->arg_4;
ev.arg_5 = fsp->arg_5;
ev.arg_6 = fsp->arg_6;
ev.pid_tid = pid_tid;
ev.start_ts_nsec = fsp->start_ts_nsec;
ev.finish_ts_nsec = cur_nsec;
ev.ret = PT_REGS_RC(ctx);
enum { ev_size = offsetof(struct ev_dt_t, sc_name) };
events.perf_submit(ctx, &ev, ev_size);
tmp_i.delete(&pid_tid);
return 0;
}
/*
* trace_libc_tmpl.c -- Trace syscalls with numbers known from libc.
* Uses BCC, eBPF.
*/
/*
* kprobe__SyS_listen -- SyS_listen() entry handler
*/
int
kprobe__SyS_listen(struct pt_regs *ctx)
{
struct first_step_t fs;
u64 pid_tid = bpf_get_current_pid_tgid();
/*
* pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode.
*/
{
if ((pid_tid >> 32) != 2878) {
return 0;
}
}
fs.start_ts_nsec = bpf_ktime_get_ns();
fs.arg_1 = PT_REGS_PARM1(ctx);
fs.arg_2 = PT_REGS_PARM2(ctx);
fs.arg_3 = PT_REGS_PARM3(ctx);
fs.arg_4 = PT_REGS_PARM4(ctx);
fs.arg_5 = PT_REGS_PARM5(ctx);
fs.arg_6 = PT_REGS_PARM6(ctx);
tmp_i.update(&pid_tid, &fs);