diff --git a/driver/bpf/filler_helpers.h b/driver/bpf/filler_helpers.h index a6bc4ad87d..7fd9880ee2 100644 --- a/driver/bpf/filler_helpers.h +++ b/driver/bpf/filler_helpers.h @@ -915,6 +915,7 @@ static __always_inline int __bpf_val_to_ring(struct filler_data *data, case PT_SOCKADDR: case PT_SOCKTUPLE: case PT_FDLIST: + case PT_FDLIST32: if (!data->curarg_already_on_frame) { bpf_printk("expected arg already on frame: evt_type %d, curarg %d, type %d\n", data->state->tail_ctx.evt_type, @@ -963,6 +964,9 @@ static __always_inline int __bpf_val_to_ring(struct filler_data *data, len = sizeof(s16); break; case PT_INT32: + case PT_ERRNO32: + case PT_FD32: + case PT_PID32: *((s32 *)&data->buf[curoff_bounded]) = val; len = sizeof(s32); break; diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 2d02c3bfb7..7f2d89c31f 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -542,8 +542,8 @@ static __always_inline int bpf_poll_parse_fds(struct filler_data *data, flags = poll_events_to_scap(fds[j].revents); } - *(s64 *)&data->buf[off & SCRATCH_SIZE_HALF] = fds[j].fd; - off += sizeof(s64); + *(s32 *)&data->buf[off & SCRATCH_SIZE_HALF] = fds[j].fd; + off += sizeof(s32); if (off > SCRATCH_SIZE_HALF) { return PPM_FAILURE_FRAME_SCRATCH_MAP_FULL; @@ -556,7 +556,7 @@ static __always_inline int bpf_poll_parse_fds(struct filler_data *data, *((u16 *)&data->buf[data->state->tail_ctx.curoff & SCRATCH_SIZE_HALF]) = fds_count; data->curarg_already_on_frame = true; - return __bpf_val_to_ring(data, 0, off - data->state->tail_ctx.curoff, PT_FDLIST, -1, false); + return __bpf_val_to_ring(data, 0, off - data->state->tail_ctx.curoff, PT_FDLIST32, -1, false); } FILLER(sys_poll_e, true) @@ -589,7 +589,7 @@ FILLER(sys_poll_x, true) * res */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -720,7 +720,7 @@ FILLER(sys_readv_preadv_x, true) * res */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -1027,7 +1027,7 @@ FILLER(sys_fcntl_e, true) * fd */ val = bpf_syscall_get_argument(data, 0); - res = bpf_val_to_ring_type(data, val, PT_FD); + res = bpf_val_to_ring_type(data, val, PT_FD32); if (res != PPM_SUCCESS) return res; @@ -1129,7 +1129,7 @@ FILLER(sys_connect_e, true) int fd; fd = bpf_syscall_get_argument(data, 0); - res = bpf_val_to_ring_type(data, fd, PT_FD); + res = bpf_val_to_ring_type(data, fd, PT_FD32); if (res != PPM_SUCCESS) return res; @@ -1232,7 +1232,7 @@ FILLER(sys_socketpair_x, true) /* ret */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -1249,11 +1249,11 @@ FILLER(sys_socketpair_x, true) } } /* fd1 */ - res = bpf_val_to_ring_type(data, fds[0], PT_FD); + res = bpf_val_to_ring_type(data, fds[0], PT_FD32); if (res != PPM_SUCCESS) return res; /* fd2 */ - res = bpf_val_to_ring_type(data, fds[1], PT_FD); + res = bpf_val_to_ring_type(data, fds[1], PT_FD32); if (res != PPM_SUCCESS) return res; /* source */ @@ -1280,7 +1280,7 @@ static int __always_inline parse_sockopt(struct filler_data *data, int level, in case SO_ERROR: if (bpf_probe_read(&u.val32, sizeof(u.val32), optval)) return PPM_FAILURE_INVALID_USER_MEMORY; - return bpf_val_to_ring_dyn(data, -u.val32, PT_ERRNO, PPM_SOCKOPT_IDX_ERRNO); + return bpf_val_to_ring_dyn(data, -u.val32, PT_ERRNO32, PPM_SOCKOPT_IDX_ERRNO32); #endif #ifdef SO_RCVTIMEO @@ -1446,13 +1446,13 @@ FILLER(sys_setsockopt_x, true) retval = bpf_syscall_get_retval(data->ctx); /* retval */ - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; /* fd */ fd = bpf_syscall_get_argument(data, 0); - res = bpf_val_to_ring_type(data, fd, PT_FD); + res = bpf_val_to_ring_type(data, fd, PT_FD32); if (res != PPM_SUCCESS) return res; @@ -1488,13 +1488,13 @@ FILLER(sys_getsockopt_x, true) retval = bpf_syscall_get_retval(data->ctx); /* retval */ - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; /* fd */ fd = bpf_syscall_get_argument(data, 0); - res = bpf_val_to_ring_type(data, fd, PT_FD); + res = bpf_val_to_ring_type(data, fd, PT_FD32); if (res != PPM_SUCCESS) return res; @@ -1628,7 +1628,7 @@ FILLER(sys_send_x, true) * res */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -2271,7 +2271,7 @@ FILLER(proc_startupdate, true) * Make sure the operation was successful */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -2387,7 +2387,7 @@ FILLER(proc_startupdate, true) */ pid = _READ(task->pid); - res = bpf_val_to_ring_type(data, pid, PT_PID); + res = bpf_val_to_ring_type(data, pid, PT_PID32); if (res != PPM_SUCCESS) return res; @@ -2396,7 +2396,7 @@ FILLER(proc_startupdate, true) */ tgid = _READ(task->tgid); - res = bpf_val_to_ring_type(data, tgid, PT_PID); + res = bpf_val_to_ring_type(data, tgid, PT_PID32); if (res != PPM_SUCCESS) return res; @@ -2406,7 +2406,7 @@ FILLER(proc_startupdate, true) real_parent = _READ(task->real_parent); pid_t ptid = _READ(real_parent->pid); - res = bpf_val_to_ring_type(data, ptid, PT_PID); + res = bpf_val_to_ring_type(data, ptid, PT_PID32); if (res != PPM_SUCCESS) return res; @@ -2624,7 +2624,7 @@ FILLER(proc_startupdate_3, true) * vtid */ vtid = bpf_task_pid_vnr(task); - res = bpf_val_to_ring_type(data, vtid, PT_PID); + res = bpf_val_to_ring_type(data, vtid, PT_PID32); if (res != PPM_SUCCESS) return res; @@ -2632,7 +2632,7 @@ FILLER(proc_startupdate_3, true) * vpid */ vpid = bpf_task_tgid_vnr(task); - res = bpf_val_to_ring_type(data, vpid, PT_PID); + res = bpf_val_to_ring_type(data, vpid, PT_PID32); } else if (data->state->tail_ctx.evt_type == PPME_SYSCALL_EXECVE_19_X || data->state->tail_ctx.evt_type == PPME_SYSCALL_EXECVEAT_X) { @@ -2716,7 +2716,7 @@ FILLER(proc_startupdate_3, true) /* * pgid */ - res = bpf_val_to_ring_type(data, bpf_task_pgrp_vnr(task), PT_PID); + res = bpf_val_to_ring_type(data, bpf_task_pgrp_vnr(task), PT_PID32); if (res != PPM_SUCCESS) return res; @@ -2840,7 +2840,7 @@ FILLER(sys_accept_x, true) * in the stack, and therefore we can consume them. */ fd = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, fd, PT_FD); + res = bpf_val_to_ring_type(data, fd, PT_FD32); if (res != PPM_SUCCESS) return res; @@ -3653,7 +3653,7 @@ FILLER(sys_prlimit_x, true) * res */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -3847,7 +3847,7 @@ static __always_inline int f_sys_recv_x_common(struct filler_data *data, long re /* * res */ - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -3990,7 +3990,7 @@ FILLER(sys_recvmsg_x, true) * res */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -4094,7 +4094,7 @@ FILLER(sys_sendmsg_e, true) * fd */ fd = bpf_syscall_get_argument(data, 0); - res = bpf_val_to_ring_type(data, fd, PT_FD); + res = bpf_val_to_ring_type(data, fd, PT_FD32); if (res != PPM_SUCCESS) return res; @@ -4163,7 +4163,7 @@ FILLER(sys_sendmsg_x, true) * res */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -4456,7 +4456,7 @@ FILLER(sys_semop_x, true) * return value */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -4687,7 +4687,7 @@ FILLER(sys_symlinkat_x, true) int res; retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -4707,7 +4707,7 @@ FILLER(sys_symlinkat_x, true) if ((int)val == AT_FDCWD) val = PPM_AT_FDCWD; - res = bpf_val_to_ring_type(data, val, PT_FD); + res = bpf_val_to_ring_type(data, val, PT_FD32); if (res != PPM_SUCCESS) return res; @@ -4822,7 +4822,7 @@ FILLER(sched_switch_e, false) /* * next */ - res = bpf_val_to_ring_type(data, next_pid, PT_PID); + res = bpf_val_to_ring_type(data, next_pid, PT_PID32); if (res != PPM_SUCCESS) return res; @@ -5057,7 +5057,7 @@ FILLER(sys_quotactl_x, true) * return value */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -5374,7 +5374,7 @@ FILLER(sys_ptrace_x, true) * res */ retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + res = bpf_val_to_ring_type(data, retval, PT_ERRNO32); if (res != PPM_SUCCESS) return res; @@ -5413,9 +5413,9 @@ FILLER(sys_bpf_x, true) * fd, depending on cmd */ if (retval >= 0 && (cmd == BPF_MAP_CREATE || cmd == BPF_PROG_LOAD)) - res = bpf_val_to_ring_dyn(data, retval, PT_FD, PPM_BPF_IDX_FD); + res = bpf_val_to_ring_dyn(data, retval, PT_FD32, PPM_BPF_IDX_FD32); else - res = bpf_val_to_ring_dyn(data, retval, PT_ERRNO, PPM_BPF_IDX_RES); + res = bpf_val_to_ring_dyn(data, retval, PT_ERRNO32, PPM_BPF_IDX_RES32); return res; } @@ -5929,11 +5929,11 @@ FILLER(sched_prog_exec, false) { int res = 0; - /* Parameter 1: res (type: PT_ERRNO) */ + /* Parameter 1: res (type: PT_ERRNO32) */ /* Please note: if this filler is called the execve is correctly * performed, so the return value will be always 0. */ - res = bpf_val_to_ring_type(data, 0, PT_ERRNO); + res = bpf_val_to_ring_type(data, 0, PT_ERRNO32); if(res != PPM_SUCCESS) { return res; @@ -6023,26 +6023,26 @@ FILLER(sched_prog_exec, false) } } - /* Parameter 4: tid (type: PT_PID) */ + /* Parameter 4: tid (type: PT_PID32) */ pid_t pid = _READ(task->pid); - res = bpf_val_to_ring_type(data, pid, PT_PID); + res = bpf_val_to_ring_type(data, pid, PT_PID32); if(res != PPM_SUCCESS) { return res; } - /* Parameter 5: pid (type: PT_PID) */ + /* Parameter 5: pid (type: PT_PID32) */ pid_t tgid = _READ(task->tgid); - res = bpf_val_to_ring_type(data, tgid, PT_PID); + res = bpf_val_to_ring_type(data, tgid, PT_PID32); if(res != PPM_SUCCESS) { return res; } - /* Parameter 6: ptid (type: PT_PID) */ + /* Parameter 6: ptid (type: PT_PID32) */ struct task_struct *real_parent = _READ(task->real_parent); pid_t ptid = _READ(real_parent->pid); - res = bpf_val_to_ring_type(data, ptid, PT_PID); + res = bpf_val_to_ring_type(data, ptid, PT_PID32); if(res != PPM_SUCCESS) { return res; @@ -6208,8 +6208,8 @@ FILLER(sched_prog_exec_3, false) return res; } - /* Parameter 18: pgid (type: PT_PID) */ - res = bpf_val_to_ring_type(data, bpf_task_pgrp_vnr(task), PT_PID); + /* Parameter 18: pgid (type: PT_PID32) */ + res = bpf_val_to_ring_type(data, bpf_task_pgrp_vnr(task), PT_PID32); if(res != PPM_SUCCESS) { return res; @@ -6328,11 +6328,11 @@ FILLER(sched_prog_fork, false) struct ppm_evt_hdr *evt_hdr = (struct ppm_evt_hdr *)data->buf; evt_hdr->tid = (uint64_t)child_pid; - /* Parameter 1: res (type: PT_ERRNO) */ + /* Parameter 1: res (type: PT_ERRNO32) */ /* Please note: here we are in the clone child exit * event, so the return value will be always 0. */ - res = bpf_val_to_ring_type(data, 0, PT_ERRNO); + res = bpf_val_to_ring_type(data, 0, PT_ERRNO32); if(res != PPM_SUCCESS) { return res; @@ -6417,26 +6417,26 @@ FILLER(sched_prog_fork, false) } } - /* Parameter 4: tid (type: PT_PID) */ + /* Parameter 4: tid (type: PT_PID32) */ pid_t pid = _READ(child->pid); - res = bpf_val_to_ring_type(data, pid, PT_PID); + res = bpf_val_to_ring_type(data, pid, PT_PID32); if(res != PPM_SUCCESS) { return res; } - /* Parameter 5: pid (type: PT_PID) */ + /* Parameter 5: pid (type: PT_PID32) */ pid_t tgid = _READ(child->tgid); - res = bpf_val_to_ring_type(data, tgid, PT_PID); + res = bpf_val_to_ring_type(data, tgid, PT_PID32); if(res != PPM_SUCCESS) { return res; } - /* Parameter 6: ptid (type: PT_PID) */ + /* Parameter 6: ptid (type: PT_PID32) */ struct task_struct *real_parent = _READ(child->real_parent); pid_t ptid = _READ(real_parent->pid); - res = bpf_val_to_ring_type(data, ptid, PT_PID); + res = bpf_val_to_ring_type(data, ptid, PT_PID32); if(res != PPM_SUCCESS) { return res; @@ -6617,15 +6617,15 @@ FILLER(sched_prog_fork_3, false) return res; } - /* Parameter 19: vtid (type: PT_PID) */ + /* Parameter 19: vtid (type: PT_PID32) */ pid_t vtid = bpf_task_pid_vnr(child); - res = bpf_val_to_ring_type(data, vtid, PT_PID); + res = bpf_val_to_ring_type(data, vtid, PT_PID32); if(res != PPM_SUCCESS) return res; - /* Parameter 20: vpid (type: PT_PID) */ + /* Parameter 20: vpid (type: PT_PID32) */ pid_t vpid = bpf_task_tgid_vnr(child); - res = bpf_val_to_ring_type(data, vpid, PT_PID); + res = bpf_val_to_ring_type(data, vpid, PT_PID32); return res; } diff --git a/driver/dynamic_params_table.c b/driver/dynamic_params_table.c index f7d6915932..e4324ac24d 100644 --- a/driver/dynamic_params_table.c +++ b/driver/dynamic_params_table.c @@ -15,6 +15,7 @@ const struct ppm_param_info sockopt_dynamic_param[PPM_SOCKOPT_IDX_MAX] = { [PPM_SOCKOPT_IDX_UINT32] = {{0}, PT_UINT32, PF_DEC}, [PPM_SOCKOPT_IDX_UINT64] = {{0}, PT_UINT64, PF_DEC}, [PPM_SOCKOPT_IDX_TIMEVAL] = {{0}, PT_RELTIME, PF_DEC}, + [PPM_SOCKOPT_IDX_ERRNO32] = {{0}, PT_ERRNO32, PF_DEC}, }; const struct ppm_param_info ptrace_dynamic_param[PPM_PTRACE_IDX_MAX] = { @@ -25,4 +26,6 @@ const struct ppm_param_info ptrace_dynamic_param[PPM_PTRACE_IDX_MAX] = { const struct ppm_param_info bpf_dynamic_param[PPM_BPF_IDX_MAX] = { [PPM_BPF_IDX_FD] = {{0}, PT_FD, PF_DEC}, [PPM_BPF_IDX_RES] = {{0}, PT_ERRNO, PF_DEC}, + [PPM_BPF_IDX_FD32] = {{0}, PT_FD32, PF_DEC}, + [PPM_BPF_IDX_RES32] = {{0}, PT_ERRNO32, PF_DEC}, }; diff --git a/driver/event_table.c b/driver/event_table.c index b745b5f867..671fda90f2 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -13,207 +13,207 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = { /* PPME_GENERIC_E */{"syscall", EC_OTHER, EF_NONE, 2, {{"ID", PT_SYSCALLID, PF_DEC}, {"nativeID", PT_UINT16, PF_DEC} } }, /* PPME_GENERIC_X */{"syscall", EC_OTHER, EF_NONE, 1, {{"ID", PT_SYSCALLID, PF_DEC} } }, /* PPME_SYSCALL_OPEN_E */{"open", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } }, - /* PPME_SYSCALL_OPEN_X */{"open", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_CLOSE_E */{"close", EC_IO_OTHER, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_CLOSE_X */{"close", EC_IO_OTHER, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_READ_E */{"read", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, - /* PPME_SYSCALL_READ_X */{"read", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SYSCALL_WRITE_E */{"write", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, - /* PPME_SYSCALL_WRITE_X */{"write", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_OPEN_X */{"open", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD32, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_CLOSE_E */{"close", EC_IO_OTHER, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_CLOSE_X */{"close", EC_IO_OTHER, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_READ_E */{"read", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_READ_X */{"read", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_WRITE_E */{"write", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_WRITE_X */{"write", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, /* PPME_SYSCALL_BRK_1_E */{"brk", EC_MEMORY, EF_OLD_VERSION, 1, {{"size", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_BRK_1_X */{"brk", EC_MEMORY, EF_OLD_VERSION, 1, {{"res", PT_UINT64, PF_HEX} } }, /* PPME_SYSCALL_EXECVE_8_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_EXECVE_8_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 8, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_EXECVE_8_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 8, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC} } }, /* PPME_SYSCALL_CLONE_11_E */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_CLONE_11_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 11, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_CLONE_11_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 11, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, /* PPME_PROCEXIT_E */{"procexit", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, /* PPME_NA1 */{"NA1", EC_PROCESS, EF_UNUSED, 0}, /* PPME_SOCKET_SOCKET_E */{"socket", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families}, {"type", PT_UINT32, PF_DEC}, {"proto", PT_UINT32, PF_DEC} } }, - /* PPME_SOCKET_SOCKET_X */{"socket", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SOCKET_BIND_E */{"bind", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SOCKET_BIND_X */{"bind", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } }, - /* PPME_SOCKET_CONNECT_E */{"connect", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } }, - /* PPME_SOCKET_CONNECT_X */{"connect", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, - /* PPME_SOCKET_LISTEN_E */{"listen", EC_NET, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } }, - /* PPME_SOCKET_LISTEN_X */{"listen", EC_NET, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SOCKET_SOCKET_X */{"socket", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SOCKET_BIND_E */{"bind", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SOCKET_BIND_X */{"bind", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } }, + /* PPME_SOCKET_CONNECT_E */{"connect", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD32, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } }, + /* PPME_SOCKET_CONNECT_X */{"connect", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, + /* PPME_SOCKET_LISTEN_E */{"listen", EC_NET, EF_USES_FD, 2, {{"fd", PT_FD32, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } }, + /* PPME_SOCKET_LISTEN_X */{"listen", EC_NET, EF_USES_FD, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SOCKET_ACCEPT_E */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SOCKET_ACCEPT_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } }, - /* PPME_SYSCALL_SEND_E */{"send", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, - /* PPME_SYSCALL_SEND_X */{"send", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SOCKET_SENDTO_E */{"sendto", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, - /* PPME_SOCKET_SENDTO_X */{"sendto", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SOCKET_RECV_E */{"recv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, - /* PPME_SOCKET_RECV_X */{"recv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SOCKET_RECVFROM_E */{"recvfrom", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, - /* PPME_SOCKET_RECVFROM_X */{"recvfrom", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, - /* PPME_SOCKET_SHUTDOWN_E */{"shutdown", EC_NET, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD, PF_DEC}, {"how", PT_ENUMFLAGS8, PF_HEX, shutdown_how} } }, - /* PPME_SOCKET_SHUTDOWN_X */{"shutdown", EC_NET, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SOCKET_ACCEPT_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } }, + /* PPME_SYSCALL_SEND_E */{"send", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_SEND_X */{"send", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SOCKET_SENDTO_E */{"sendto", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, + /* PPME_SOCKET_SENDTO_X */{"sendto", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SOCKET_RECV_E */{"recv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, + /* PPME_SOCKET_RECV_X */{"recv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SOCKET_RECVFROM_E */{"recvfrom", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, + /* PPME_SOCKET_RECVFROM_X */{"recvfrom", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, + /* PPME_SOCKET_SHUTDOWN_E */{"shutdown", EC_NET, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD32, PF_DEC}, {"how", PT_ENUMFLAGS8, PF_HEX, shutdown_how} } }, + /* PPME_SOCKET_SHUTDOWN_X */{"shutdown", EC_NET, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SOCKET_GETSOCKNAME_E */{"getsockname", EC_NET, EF_DROP_SIMPLE_CONS, 0}, /* PPME_SOCKET_GETSOCKNAME_X */{"getsockname", EC_NET, EF_DROP_SIMPLE_CONS, 0}, /* PPME_SOCKET_GETPEERNAME_E */{"getpeername", EC_NET, EF_DROP_SIMPLE_CONS, 0}, /* PPME_SOCKET_GETPEERNAME_X */{"getpeername", EC_NET, EF_DROP_SIMPLE_CONS, 0}, /* PPME_SOCKET_SOCKETPAIR_E */{"socketpair", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families}, {"type", PT_UINT32, PF_DEC}, {"proto", PT_UINT32, PF_DEC} } }, - /* PPME_SOCKET_SOCKETPAIR_X */{"socketpair", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"res", PT_ERRNO, PF_DEC}, {"fd1", PT_FD, PF_DEC}, {"fd2", PT_FD, PF_DEC}, {"source", PT_UINT64, PF_HEX}, {"peer", PT_UINT64, PF_HEX} } }, + /* PPME_SOCKET_SOCKETPAIR_X */{"socketpair", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"res", PT_ERRNO32, PF_DEC}, {"fd1", PT_FD32, PF_DEC}, {"fd2", PT_FD32, PF_DEC}, {"source", PT_UINT64, PF_HEX}, {"peer", PT_UINT64, PF_HEX} } }, /* PPME_SOCKET_SETSOCKOPT_E */{"setsockopt", EC_NET, EF_NONE, 0 }, - /* PPME_SOCKET_SETSOCKOPT_X */{"setsockopt", EC_NET, EF_USES_FD, 6, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels}, {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options}, {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX}, {"optlen", PT_UINT32, PF_DEC}}}, + /* PPME_SOCKET_SETSOCKOPT_X */{"setsockopt", EC_NET, EF_USES_FD, 6, {{"res", PT_ERRNO32, PF_DEC}, {"fd", PT_FD32, PF_DEC}, {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels}, {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options}, {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX}, {"optlen", PT_UINT32, PF_DEC}}}, /* PPME_SOCKET_GETSOCKOPT_E */{"getsockopt", EC_NET, EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 0 }, - /* PPME_SOCKET_GETSOCKOPT_X */{"getsockopt", EC_NET, EF_USES_FD | EF_MODIFIES_STATE| EF_DROP_SIMPLE_CONS, 6, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels}, {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options}, {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX}, {"optlen", PT_UINT32, PF_DEC}}}, - /* PPME_SOCKET_SENDMSG_E */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, - /* PPME_SOCKET_SENDMSG_X */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SOCKET_GETSOCKOPT_X */{"getsockopt", EC_NET, EF_USES_FD | EF_MODIFIES_STATE| EF_DROP_SIMPLE_CONS, 6, {{"res", PT_ERRNO32, PF_DEC}, {"fd", PT_FD32, PF_DEC}, {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels}, {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options}, {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX}, {"optlen", PT_UINT32, PF_DEC}}}, + /* PPME_SOCKET_SENDMSG_E */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, + /* PPME_SOCKET_SENDMSG_X */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, /* PPME_SOCKET_SENDMMSG_E */{"sendmmsg", EC_IO_WRITE, EF_DROP_SIMPLE_CONS, 0}, /* PPME_SOCKET_SENDMMSG_X */{"sendmmsg", EC_IO_WRITE, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SOCKET_RECVMSG_E */{"recvmsg", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SOCKET_RECVMSG_X */{"recvmsg", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, + /* PPME_SOCKET_RECVMSG_E */{"recvmsg", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SOCKET_RECVMSG_X */{"recvmsg", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO32, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}, {"tuple", PT_SOCKTUPLE, PF_NA} } }, /* PPME_SOCKET_RECVMMSG_E */{"recvmmsg", EC_IO_READ, EF_DROP_SIMPLE_CONS, 0}, /* PPME_SOCKET_RECVMMSG_X */{"recvmmsg", EC_IO_READ, EF_DROP_SIMPLE_CONS, 0}, /* PPME_SOCKET_ACCEPT4_E */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"flags", PT_INT32, PF_HEX} } }, - /* PPME_SOCKET_ACCEPT4_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } }, + /* PPME_SOCKET_ACCEPT4_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } }, /* PPME_SYSCALL_CREAT_E */{"creat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT} } }, - /* PPME_SYSCALL_CREAT_X */{"creat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_CREAT_X */{"creat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD32, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, /* PPME_SYSCALL_PIPE_E */{"pipe", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_PIPE_X */{"pipe", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"fd1", PT_FD, PF_DEC}, {"fd2", PT_FD, PF_DEC}, {"ino", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_PIPE_X */{"pipe", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO32, PF_DEC}, {"fd1", PT_FD32, PF_DEC}, {"fd2", PT_FD32, PF_DEC}, {"ino", PT_UINT64, PF_DEC} } }, /* PPME_SYSCALL_EVENTFD_E */{"eventfd", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 2, {{"initval", PT_UINT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX} } }, - /* PPME_SYSCALL_EVENTFD_X */{"eventfd", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_FD, PF_DEC} } }, + /* PPME_SYSCALL_EVENTFD_X */{"eventfd", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_FD32, PF_DEC} } }, /* PPME_SYSCALL_FUTEX_E */{"futex", EC_IPC, EF_DROP_SIMPLE_CONS, 3, {{"addr", PT_UINT64, PF_HEX}, {"op", PT_ENUMFLAGS16, PF_HEX, futex_operations}, {"val", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_FUTEX_X */{"futex", EC_IPC, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_FUTEX_X */{"futex", EC_IPC, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_STAT_E */{"stat", EC_FILE, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_STAT_X */{"stat", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_STAT_X */{"stat", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_LSTAT_E */{"lstat", EC_FILE, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_LSTAT_X */{"lstat", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, - /* PPME_SYSCALL_FSTAT_E */{"fstat", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD, PF_NA} } }, - /* PPME_SYSCALL_FSTAT_X */{"fstat", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_LSTAT_X */{"lstat", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_FSTAT_E */{"fstat", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD32, PF_NA} } }, + /* PPME_SYSCALL_FSTAT_X */{"fstat", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_STAT64_E */{"stat64", EC_FILE, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_STAT64_X */{"stat64", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_STAT64_X */{"stat64", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_LSTAT64_E */{"lstat64", EC_FILE, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_LSTAT64_X */{"lstat64", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, - /* PPME_SYSCALL_FSTAT64_E */{"fstat64", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD, PF_NA} } }, - /* PPME_SYSCALL_FSTAT64_X */{"fstat64", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_EPOLLWAIT_E */{"epoll_wait", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"maxevents", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_EPOLLWAIT_X */{"epoll_wait", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_POLL_E */{"poll", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 2, {{"fds", PT_FDLIST, PF_DEC}, {"timeout", PT_INT64, PF_DEC} } }, - /* PPME_SYSCALL_POLL_X */{"poll", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } }, + /* PPME_SYSCALL_LSTAT64_X */{"lstat64", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_FSTAT64_E */{"fstat64", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD32, PF_NA} } }, + /* PPME_SYSCALL_FSTAT64_X */{"fstat64", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_EPOLLWAIT_E */{"epoll_wait", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"maxevents", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_EPOLLWAIT_X */{"epoll_wait", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_POLL_E */{"poll", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 2, {{"fds", PT_FDLIST32, PF_DEC}, {"timeout", PT_INT64, PF_DEC} } }, + /* PPME_SYSCALL_POLL_X */{"poll", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"fds", PT_FDLIST32, PF_DEC} } }, /* PPME_SYSCALL_SELECT_E */{"select", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_SELECT_X */{"select", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_SELECT_X */{"select", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_NEWSELECT_E */{"select", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_NEWSELECT_X */{"select", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_LSEEK_E */{"lseek", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence} } }, - /* PPME_SYSCALL_LSEEK_X */{"lseek", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_LLSEEK_E */{"llseek", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence} } }, - /* PPME_SYSCALL_LLSEEK_X */{"llseek", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_IOCTL_2_E */{"ioctl", EC_IO_OTHER, EF_USES_FD | EF_OLD_VERSION, 2, {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX} } }, - /* PPME_SYSCALL_IOCTL_2_X */{"ioctl", EC_IO_OTHER, EF_USES_FD | EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_NEWSELECT_X */{"select", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_LSEEK_E */{"lseek", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD32, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence} } }, + /* PPME_SYSCALL_LSEEK_X */{"lseek", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_LLSEEK_E */{"llseek", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD32, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence} } }, + /* PPME_SYSCALL_LLSEEK_X */{"llseek", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_IOCTL_2_E */{"ioctl", EC_IO_OTHER, EF_USES_FD | EF_OLD_VERSION, 2, {{"fd", PT_FD32, PF_DEC}, {"request", PT_UINT64, PF_HEX} } }, + /* PPME_SYSCALL_IOCTL_2_X */{"ioctl", EC_IO_OTHER, EF_USES_FD | EF_OLD_VERSION, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_GETCWD_E */{"getcwd", EC_FILE, EF_DROP_SIMPLE_CONS, 0}, /* Note: path is PT_CHARBUF and not PT_FSPATH because we assume it's absolute and will never need resolution */ - /* PPME_SYSCALL_GETCWD_X */{"getcwd", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } }, + /* PPME_SYSCALL_GETCWD_X */{"getcwd", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } }, /* Note: path is PT_CHARBUF and not PT_FSPATH because we don't want it to be resolved, since the event handler already changes it */ /* PPME_SYSCALL_CHDIR_E */{"chdir", EC_FILE, EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_CHDIR_X */{"chdir", EC_FILE, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } }, - /* PPME_SYSCALL_FCHDIR_E */{"fchdir", EC_FILE, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_NA} } }, - /* PPME_SYSCALL_FCHDIR_X */{"fchdir", EC_FILE, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_CHDIR_X */{"chdir", EC_FILE, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } }, + /* PPME_SYSCALL_FCHDIR_E */{"fchdir", EC_FILE, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD32, PF_NA} } }, + /* PPME_SYSCALL_FCHDIR_X */{"fchdir", EC_FILE, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_MKDIR_E */{"mkdir", EC_FILE, EF_OLD_VERSION, 2, {{"path", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_HEX} } }, - /* PPME_SYSCALL_MKDIR_X */{"mkdir", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_MKDIR_X */{"mkdir", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_RMDIR_E */{"rmdir", EC_FILE, EF_OLD_VERSION, 1, {{"path", PT_FSPATH, PF_NA} } }, - /* PPME_SYSCALL_RMDIR_X */{"rmdir", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_OPENAT_E */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 4, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } }, - /* PPME_SYSCALL_OPENAT_X */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"fd", PT_FD, PF_DEC} } }, + /* PPME_SYSCALL_RMDIR_X */{"rmdir", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_OPENAT_E */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 4, {{"dirfd", PT_FD32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } }, + /* PPME_SYSCALL_OPENAT_X */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"fd", PT_FD32, PF_DEC} } }, /* PPME_SYSCALL_LINK_E */{"link", EC_FILE, EF_OLD_VERSION, 2, {{"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } }, - /* PPME_SYSCALL_LINK_X */{"link", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_LINKAT_E */{"linkat", EC_FILE, EF_OLD_VERSION, 4, {{"olddir", PT_FD, PF_DEC}, {"oldpath", PT_CHARBUF, PF_NA}, {"newdir", PT_FD, PF_DEC}, {"newpath", PT_CHARBUF, PF_NA} } }, - /* PPME_SYSCALL_LINKAT_X */{"linkat", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_LINK_X */{"link", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_LINKAT_E */{"linkat", EC_FILE, EF_OLD_VERSION, 4, {{"olddir", PT_FD32, PF_DEC}, {"oldpath", PT_CHARBUF, PF_NA}, {"newdir", PT_FD32, PF_DEC}, {"newpath", PT_CHARBUF, PF_NA} } }, + /* PPME_SYSCALL_LINKAT_X */{"linkat", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_UNLINK_E */{"unlink", EC_FILE, EF_OLD_VERSION, 1, {{"path", PT_FSPATH, PF_NA} } }, - /* PPME_SYSCALL_UNLINK_X */{"unlink", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_UNLINKAT_E */{"unlinkat", EC_FILE, EF_OLD_VERSION, 2, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA} } }, - /* PPME_SYSCALL_UNLINKAT_X */{"unlinkat", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_PREAD_E */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_PREAD_X */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SYSCALL_PWRITE_E */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_PWRITE_X */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SYSCALL_READV_E */{"readv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_READV_X */{"readv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SYSCALL_WRITEV_E */{"writev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, - /* PPME_SYSCALL_WRITEV_X */{"writev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SYSCALL_PREADV_E */{"preadv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_PREADV_X */{"preadv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SYSCALL_PWRITEV_E */{"pwritev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_PWRITEV_X */{"pwritev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, - /* PPME_SYSCALL_DUP_E */{"dup", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_DUP_X */{"dup", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"res", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_SIGNALFD_E */{"signalfd", EC_SIGNAL, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}, {"flags", PT_FLAGS8, PF_HEX} } }, - /* PPME_SYSCALL_SIGNALFD_X */{"signalfd", EC_SIGNAL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_KILL_E */{"kill", EC_SIGNAL, EF_NONE, 2, {{"pid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } }, - /* PPME_SYSCALL_KILL_X */{"kill", EC_SIGNAL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_TKILL_E */{"tkill", EC_SIGNAL, EF_NONE, 2, {{"tid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } }, - /* PPME_SYSCALL_TKILL_X */{"tkill", EC_SIGNAL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_TGKILL_E */{"tgkill", EC_SIGNAL, EF_NONE, 3, {{"pid", PT_PID, PF_DEC}, {"tid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } }, - /* PPME_SYSCALL_TGKILL_X */{"tgkill", EC_SIGNAL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_UNLINK_X */{"unlink", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_UNLINKAT_E */{"unlinkat", EC_FILE, EF_OLD_VERSION, 2, {{"dirfd", PT_FD32, PF_DEC}, {"name", PT_CHARBUF, PF_NA} } }, + /* PPME_SYSCALL_UNLINKAT_X */{"unlinkat", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_PREAD_E */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_PREAD_X */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_PWRITE_E */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_PWRITE_X */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_READV_E */{"readv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_READV_X */{"readv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO32, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_WRITEV_E */{"writev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_WRITEV_X */{"writev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_PREADV_E */{"preadv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_PREADV_X */{"preadv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO32, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_PWRITEV_E */{"pwritev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 3, {{"fd", PT_FD32, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_PWRITEV_X */{"pwritev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_DUP_E */{"dup", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_DUP_X */{"dup", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"res", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_SIGNALFD_E */{"signalfd", EC_SIGNAL, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD32, PF_DEC}, {"mask", PT_UINT32, PF_HEX}, {"flags", PT_FLAGS8, PF_HEX} } }, + /* PPME_SYSCALL_SIGNALFD_X */{"signalfd", EC_SIGNAL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_KILL_E */{"kill", EC_SIGNAL, EF_NONE, 2, {{"pid", PT_PID32, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } }, + /* PPME_SYSCALL_KILL_X */{"kill", EC_SIGNAL, EF_NONE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_TKILL_E */{"tkill", EC_SIGNAL, EF_NONE, 2, {{"tid", PT_PID32, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } }, + /* PPME_SYSCALL_TKILL_X */{"tkill", EC_SIGNAL, EF_NONE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_TGKILL_E */{"tgkill", EC_SIGNAL, EF_NONE, 3, {{"pid", PT_PID32, PF_DEC}, {"tid", PT_PID32, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } }, + /* PPME_SYSCALL_TGKILL_X */{"tgkill", EC_SIGNAL, EF_NONE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_NANOSLEEP_E */{"nanosleep", EC_SLEEP, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"interval", PT_RELTIME, PF_DEC} } }, - /* PPME_SYSCALL_NANOSLEEP_X */{"nanosleep", EC_SLEEP, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_NANOSLEEP_X */{"nanosleep", EC_SLEEP, EF_WAITS | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_TIMERFD_CREATE_E */{"timerfd_create", EC_TIME, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 2, {{"clockid", PT_UINT8, PF_DEC}, {"flags", PT_FLAGS8, PF_HEX} } }, - /* PPME_SYSCALL_TIMERFD_CREATE_X */{"timerfd_create", EC_TIME, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_FD, PF_DEC} } }, + /* PPME_SYSCALL_TIMERFD_CREATE_X */{"timerfd_create", EC_TIME, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_FD32, PF_DEC} } }, /* PPME_SYSCALL_INOTIFY_INIT_E */{"inotify_init", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS8, PF_HEX} } }, - /* PPME_SYSCALL_INOTIFY_INIT_X */{"inotify_init", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } }, + /* PPME_SYSCALL_INOTIFY_INIT_X */{"inotify_init", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD32, PF_DEC} } }, /* PPME_SYSCALL_GETRLIMIT_E */{"getrlimit", EC_PROCESS, EF_DROP_SIMPLE_CONS, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, - /* PPME_SYSCALL_GETRLIMIT_X */{"getrlimit", EC_PROCESS, EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } }, + /* PPME_SYSCALL_GETRLIMIT_X */{"getrlimit", EC_PROCESS, EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO32, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } }, /* PPME_SYSCALL_SETRLIMIT_E */{"setrlimit", EC_PROCESS, EF_DROP_SIMPLE_CONS, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, - /* PPME_SYSCALL_SETRLIMIT_X */{"setrlimit", EC_PROCESS, EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } }, - /* PPME_SYSCALL_PRLIMIT_E */{"prlimit", EC_PROCESS, EF_NONE, 2, {{"pid", PT_PID, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, - /* PPME_SYSCALL_PRLIMIT_X */{"prlimit", EC_PROCESS, EF_NONE, 5, {{"res", PT_ERRNO, PF_DEC}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC} } }, - /* PPME_SCHEDSWITCH_1_E */{"switch", EC_SCHEDULER, EF_SKIPPARSERESET | EF_OLD_VERSION | EF_DROP_SIMPLE_CONS, 1, {{"next", PT_PID, PF_DEC} } }, + /* PPME_SYSCALL_SETRLIMIT_X */{"setrlimit", EC_PROCESS, EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO32, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } }, + /* PPME_SYSCALL_PRLIMIT_E */{"prlimit", EC_PROCESS, EF_NONE, 2, {{"pid", PT_PID32, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, + /* PPME_SYSCALL_PRLIMIT_X */{"prlimit", EC_PROCESS, EF_NONE, 5, {{"res", PT_ERRNO32, PF_DEC}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC} } }, + /* PPME_SCHEDSWITCH_1_E */{"switch", EC_SCHEDULER, EF_SKIPPARSERESET | EF_OLD_VERSION | EF_DROP_SIMPLE_CONS, 1, {{"next", PT_PID32, PF_DEC} } }, /* PPME_SCHEDSWITCH_1_X */{"NA2", EC_SCHEDULER, EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION, 0}, /* PPME_DROP_E */{"drop", EC_INTERNAL, EF_SKIPPARSERESET, 1, {{"ratio", PT_UINT32, PF_DEC} } }, /* PPME_DROP_X */{"drop", EC_INTERNAL, EF_SKIPPARSERESET, 1, {{"ratio", PT_UINT32, PF_DEC} } }, - /* PPME_SYSCALL_FCNTL_E */{"fcntl", EC_IO_OTHER, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD, PF_DEC}, {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands} } }, - /* PPME_SYSCALL_FCNTL_X */{"fcntl", EC_IO_OTHER, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_FD, PF_DEC} } }, - /* PPME_SCHEDSWITCH_6_E */{"switch", EC_SCHEDULER, EF_DROP_SIMPLE_CONS, 6, {{"next", PT_PID, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_FCNTL_E */{"fcntl", EC_IO_OTHER, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 2, {{"fd", PT_FD32, PF_DEC}, {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands} } }, + /* PPME_SYSCALL_FCNTL_X */{"fcntl", EC_IO_OTHER, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_FD32, PF_DEC} } }, + /* PPME_SCHEDSWITCH_6_E */{"switch", EC_SCHEDULER, EF_DROP_SIMPLE_CONS, 6, {{"next", PT_PID32, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, /* PPME_SCHEDSWITCH_6_X */{"NA2", EC_SCHEDULER, EF_UNUSED, 0}, /* PPME_SYSCALL_EXECVE_13_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_EXECVE_13_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 13, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_EXECVE_13_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 13, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_CLONE_16_E */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_CLONE_16_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_CLONE_16_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_BRK_4_E */{"brk", EC_MEMORY, EF_DROP_SIMPLE_CONS, 1, {{"addr", PT_UINT64, PF_HEX} } }, /* PPME_SYSCALL_BRK_4_X */{"brk", EC_MEMORY, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, - /* PPME_SYSCALL_MMAP_E */{"mmap", EC_MEMORY, EF_DROP_SIMPLE_CONS, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_MMAP_E */{"mmap", EC_MEMORY, EF_DROP_SIMPLE_CONS, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD32, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } }, /* PPME_SYSCALL_MMAP_X */{"mmap", EC_MEMORY, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, - /* PPME_SYSCALL_MMAP2_E */{"mmap2", EC_MEMORY, EF_DROP_SIMPLE_CONS, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"pgoffset", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_MMAP2_E */{"mmap2", EC_MEMORY, EF_DROP_SIMPLE_CONS, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD32, PF_DEC}, {"pgoffset", PT_UINT64, PF_DEC} } }, /* PPME_SYSCALL_MMAP2_X */{"mmap2", EC_MEMORY, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_MUNMAP_E */{"munmap", EC_MEMORY, EF_DROP_SIMPLE_CONS, 2, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_MUNMAP_X */{"munmap", EC_MEMORY, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_ERRNO, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, - /* PPME_SYSCALL_SPLICE_E */{"splice", EC_IO_OTHER, EF_USES_FD | EF_DROP_SIMPLE_CONS, 4, {{"fd_in", PT_FD, PF_DEC}, {"fd_out", PT_FD, PF_DEC}, {"size", PT_UINT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, splice_flags} } }, - /* PPME_SYSCALL_SPLICE_X */{"splice", EC_IO_OTHER, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_PTRACE_E */{"ptrace", EC_PROCESS, EF_NONE, 2, {{"request", PT_ENUMFLAGS16, PF_DEC, ptrace_requests}, {"pid", PT_PID, PF_DEC} } }, - /* PPME_SYSCALL_PTRACE_X */{"ptrace", EC_PROCESS, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX}, {"data", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX} } }, - /* PPME_SYSCALL_IOCTL_3_E */{"ioctl", EC_IO_OTHER, EF_USES_FD, 3, {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX}, {"argument", PT_UINT64, PF_HEX} } }, - /* PPME_SYSCALL_IOCTL_3_X */{"ioctl", EC_IO_OTHER, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_MUNMAP_X */{"munmap", EC_MEMORY, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_ERRNO32, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_SPLICE_E */{"splice", EC_IO_OTHER, EF_USES_FD | EF_DROP_SIMPLE_CONS, 4, {{"fd_in", PT_FD32, PF_DEC}, {"fd_out", PT_FD32, PF_DEC}, {"size", PT_UINT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, splice_flags} } }, + /* PPME_SYSCALL_SPLICE_X */{"splice", EC_IO_OTHER, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_PTRACE_E */{"ptrace", EC_PROCESS, EF_NONE, 2, {{"request", PT_ENUMFLAGS16, PF_DEC, ptrace_requests}, {"pid", PT_PID32, PF_DEC} } }, + /* PPME_SYSCALL_PTRACE_X */{"ptrace", EC_PROCESS, EF_NONE, 3, {{"res", PT_ERRNO32, PF_DEC}, {"addr", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX}, {"data", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX} } }, + /* PPME_SYSCALL_IOCTL_3_E */{"ioctl", EC_IO_OTHER, EF_USES_FD, 3, {{"fd", PT_FD32, PF_DEC}, {"request", PT_UINT64, PF_HEX}, {"argument", PT_UINT64, PF_HEX} } }, + /* PPME_SYSCALL_IOCTL_3_X */{"ioctl", EC_IO_OTHER, EF_USES_FD, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_EXECVE_14_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_EXECVE_14_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 14, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"env", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_EXECVE_14_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 14, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"env", PT_BYTEBUF, PF_NA} } }, /* PPME_SYSCALL_RENAME_E */{"rename", EC_FILE, EF_NONE, 0 }, - /* PPME_SYSCALL_RENAME_X */{"rename", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_RENAME_X */{"rename", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO32, PF_DEC}, {"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_RENAMEAT_E */{"renameat", EC_FILE, EF_NONE, 0 }, - /* PPME_SYSCALL_RENAMEAT_X */{"renameat", EC_FILE, EF_NONE, 5, {{"res", PT_ERRNO, PF_DEC}, {"olddirfd", PT_FD, PF_DEC}, {"oldpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"newdirfd", PT_FD, PF_DEC}, {"newpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(3)} } }, + /* PPME_SYSCALL_RENAMEAT_X */{"renameat", EC_FILE, EF_NONE, 5, {{"res", PT_ERRNO32, PF_DEC}, {"olddirfd", PT_FD32, PF_DEC}, {"oldpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"newdirfd", PT_FD32, PF_DEC}, {"newpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(3)} } }, /* PPME_SYSCALL_SYMLINK_E */{"symlink", EC_FILE, EF_NONE, 0 }, - /* PPME_SYSCALL_SYMLINK_X */{"symlink", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"target", PT_CHARBUF, PF_NA}, {"linkpath", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_SYMLINK_X */{"symlink", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO32, PF_DEC}, {"target", PT_CHARBUF, PF_NA}, {"linkpath", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_SYMLINKAT_E */{"symlinkat", EC_FILE, EF_NONE, 0 }, - /* PPME_SYSCALL_SYMLINKAT_X */{"symlinkat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"target", PT_CHARBUF, PF_NA}, {"linkdirfd", PT_FD, PF_DEC}, {"linkpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(2)} } }, + /* PPME_SYSCALL_SYMLINKAT_X */{"symlinkat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO32, PF_DEC}, {"target", PT_CHARBUF, PF_NA}, {"linkdirfd", PT_FD32, PF_DEC}, {"linkpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(2)} } }, /* PPME_SYSCALL_FORK_E */{"fork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_FORK_X */{"fork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_FORK_X */{"fork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_VFORK_E */{"vfork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_VFORK_X */{"vfork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, - /* PPME_PROCEXIT_1_E */{"procexit", EC_PROCESS, EF_MODIFIES_STATE, 4, {{"status", PT_ERRNO, PF_DEC}, {"ret", PT_ERRNO, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}, {"core", PT_UINT8, PF_DEC} } }, + /* PPME_SYSCALL_VFORK_X */{"vfork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, + /* PPME_PROCEXIT_1_E */{"procexit", EC_PROCESS, EF_MODIFIES_STATE, 4, {{"status", PT_ERRNO32, PF_DEC}, {"ret", PT_ERRNO32, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}, {"core", PT_UINT8, PF_DEC} } }, /* PPME_NA1 */{"NA1", EC_PROCESS, EF_UNUSED, 0}, - /* PPME_SYSCALL_SENDFILE_E */{"sendfile", EC_IO_WRITE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 4, {{"out_fd", PT_FD, PF_DEC}, {"in_fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"size", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_SENDFILE_X */{"sendfile", EC_IO_WRITE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_SENDFILE_E */{"sendfile", EC_IO_WRITE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 4, {{"out_fd", PT_FD32, PF_DEC}, {"in_fd", PT_FD32, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"size", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_SENDFILE_X */{"sendfile", EC_IO_WRITE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } }, /* PPME_SYSCALL_QUOTACTL_E */{"quotactl", EC_USER, EF_NONE, 4, {{"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds }, {"type", PT_FLAGS8, PF_DEC, quotactl_types}, {"id", PT_UINT32, PF_DEC}, {"quota_fmt", PT_FLAGS8, PF_DEC, quotactl_quota_fmts } } }, - /* PPME_SYSCALL_QUOTACTL_X */{"quotactl", EC_USER, EF_NONE, 14, {{"res", PT_ERRNO, PF_DEC}, {"special", PT_CHARBUF, PF_NA }, {"quotafilepath", PT_CHARBUF, PF_NA}, {"dqb_bhardlimit", PT_UINT64, PF_DEC }, {"dqb_bsoftlimit", PT_UINT64, PF_DEC }, {"dqb_curspace", PT_UINT64, PF_DEC }, {"dqb_ihardlimit", PT_UINT64, PF_DEC }, {"dqb_isoftlimit", PT_UINT64, PF_DEC }, {"dqb_btime", PT_RELTIME, PF_DEC }, {"dqb_itime", PT_RELTIME, PF_DEC }, {"dqi_bgrace", PT_RELTIME, PF_DEC }, {"dqi_igrace", PT_RELTIME, PF_DEC }, {"dqi_flags", PT_FLAGS8, PF_DEC, quotactl_dqi_flags }, {"quota_fmt_out", PT_FLAGS8, PF_DEC, quotactl_quota_fmts } } }, + /* PPME_SYSCALL_QUOTACTL_X */{"quotactl", EC_USER, EF_NONE, 14, {{"res", PT_ERRNO32, PF_DEC}, {"special", PT_CHARBUF, PF_NA }, {"quotafilepath", PT_CHARBUF, PF_NA}, {"dqb_bhardlimit", PT_UINT64, PF_DEC }, {"dqb_bsoftlimit", PT_UINT64, PF_DEC }, {"dqb_curspace", PT_UINT64, PF_DEC }, {"dqb_ihardlimit", PT_UINT64, PF_DEC }, {"dqb_isoftlimit", PT_UINT64, PF_DEC }, {"dqb_btime", PT_RELTIME, PF_DEC }, {"dqb_itime", PT_RELTIME, PF_DEC }, {"dqi_bgrace", PT_RELTIME, PF_DEC }, {"dqi_igrace", PT_RELTIME, PF_DEC }, {"dqi_flags", PT_FLAGS8, PF_DEC, quotactl_dqi_flags }, {"quota_fmt_out", PT_FLAGS8, PF_DEC, quotactl_quota_fmts } } }, /* PPME_SYSCALL_SETRESUID_E */ {"setresuid", EC_USER, EF_MODIFIES_STATE, 3, {{"ruid", PT_UID, PF_DEC }, {"euid", PT_UID, PF_DEC }, {"suid", PT_UID, PF_DEC } } }, - /* PPME_SYSCALL_SETRESUID_X */ {"setresuid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_SETRESUID_X */ {"setresuid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_SETRESGID_E */ {"setresgid", EC_USER, EF_MODIFIES_STATE, 3, {{"rgid", PT_GID, PF_DEC }, {"egid", PT_GID, PF_DEC }, {"sgid", PT_GID, PF_DEC } } }, - /* PPME_SYSCALL_SETRESGID_X */ {"setresgid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_SETRESGID_X */ {"setresgid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SCAPEVENT_E */{"scapevent", EC_INTERNAL, EF_SKIPPARSERESET, 2, {{"event_type", PT_UINT32, PF_DEC}, {"event_data", PT_UINT64, PF_DEC} } }, /* PPME_SCAPEVENT_X */{"scapevent", EC_INTERNAL, EF_UNUSED, 0}, /* PPME_SYSCALL_SETUID_E */ {"setuid", EC_USER, EF_MODIFIES_STATE, 1, {{"uid", PT_UID, PF_DEC} } }, - /* PPME_SYSCALL_SETUID_X */ {"setuid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_SETUID_X */ {"setuid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_SETGID_E */ {"setgid", EC_USER, EF_MODIFIES_STATE, 1, {{"gid", PT_GID, PF_DEC} } }, - /* PPME_SYSCALL_SETGID_X */ {"setgid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_SETGID_X */ {"setgid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_GETUID_E */ {"getuid", EC_USER, EF_DROP_SIMPLE_CONS, 0}, /* PPME_SYSCALL_GETUID_X */ {"getuid", EC_USER, EF_DROP_SIMPLE_CONS, 1, {{"uid", PT_UID, PF_DEC} } }, /* PPME_SYSCALL_GETEUID_E */ {"geteuid", EC_USER, EF_DROP_SIMPLE_CONS, 0 }, @@ -223,63 +223,63 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = { /* PPME_SYSCALL_GETEGID_E */ {"getegid", EC_USER, EF_DROP_SIMPLE_CONS, 0 }, /* PPME_SYSCALL_GETEGID_X */ {"getegid", EC_USER, EF_DROP_SIMPLE_CONS, 1, {{"egid", PT_GID, PF_DEC} } }, /* PPME_SYSCALL_GETRESUID_E */ {"getresuid", EC_USER, EF_DROP_SIMPLE_CONS, 0 }, - /* PPME_SYSCALL_GETRESUID_X */ {"getresuid", EC_USER, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_ERRNO, PF_DEC}, {"ruid", PT_UID, PF_DEC }, {"euid", PT_UID, PF_DEC }, {"suid", PT_UID, PF_DEC } } }, + /* PPME_SYSCALL_GETRESUID_X */ {"getresuid", EC_USER, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_ERRNO32, PF_DEC}, {"ruid", PT_UID, PF_DEC }, {"euid", PT_UID, PF_DEC }, {"suid", PT_UID, PF_DEC } } }, /* PPME_SYSCALL_GETRESGID_E */ {"getresgid", EC_USER, EF_DROP_SIMPLE_CONS, 0 }, - /* PPME_SYSCALL_GETRESGID_X */ {"getresgid", EC_USER, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_ERRNO, PF_DEC}, {"rgid", PT_GID, PF_DEC }, {"egid", PT_GID, PF_DEC }, {"sgid", PT_GID, PF_DEC } } }, + /* PPME_SYSCALL_GETRESGID_X */ {"getresgid", EC_USER, EF_DROP_SIMPLE_CONS, 4, {{"res", PT_ERRNO32, PF_DEC}, {"rgid", PT_GID, PF_DEC }, {"egid", PT_GID, PF_DEC }, {"sgid", PT_GID, PF_DEC } } }, /* PPME_SYSCALL_EXECVE_15_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_EXECVE_15_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 15, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } }, + /* PPME_SYSCALL_EXECVE_15_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 15, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } }, /* PPME_SYSCALL_CLONE_17_E */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_CLONE_17_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_CLONE_17_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_FORK_17_E */{"fork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_FORK_17_X */{"fork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_FORK_17_X */{"fork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_VFORK_17_E */{"vfork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_VFORK_17_X */{"vfork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, + /* PPME_SYSCALL_VFORK_17_X */{"vfork", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_CLONE_20_E */{"clone", EC_PROCESS, EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_CLONE_20_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE, 20, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID, PF_DEC}, {"vpid", PT_PID, PF_DEC} } }, + /* PPME_SYSCALL_CLONE_20_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE, 20, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID32, PF_DEC}, {"vpid", PT_PID32, PF_DEC} } }, /* PPME_SYSCALL_FORK_20_E */{"fork", EC_PROCESS, EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_FORK_20_X */{"fork", EC_PROCESS, EF_MODIFIES_STATE, 20, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID, PF_DEC}, {"vpid", PT_PID, PF_DEC} } }, + /* PPME_SYSCALL_FORK_20_X */{"fork", EC_PROCESS, EF_MODIFIES_STATE, 20, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID32, PF_DEC}, {"vpid", PT_PID32, PF_DEC} } }, /* PPME_SYSCALL_VFORK_20_E */{"vfork", EC_PROCESS, EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_VFORK_20_X */{"vfork", EC_PROCESS, EF_MODIFIES_STATE, 20, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID, PF_DEC}, {"vpid", PT_PID, PF_DEC} } }, + /* PPME_SYSCALL_VFORK_20_X */{"vfork", EC_PROCESS, EF_MODIFIES_STATE, 20, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID32, PF_DEC}, {"vpid", PT_PID32, PF_DEC} } }, /* PPME_CONTAINER_E */{"container", EC_INTERNAL, EF_SKIPPARSERESET | EF_MODIFIES_STATE | EF_OLD_VERSION, 4, {{"id", PT_CHARBUF, PF_NA}, {"type", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"image", PT_CHARBUF, PF_NA} } }, /* PPME_CONTAINER_X */{"container", EC_INTERNAL, EF_UNUSED | EF_OLD_VERSION, 0}, /* PPME_SYSCALL_EXECVE_16_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_EXECVE_16_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } }, - /* PPME_SIGNALDELIVER_E */ {"signaldeliver", EC_SIGNAL, EF_DROP_SIMPLE_CONS, 3, {{"spid", PT_PID, PF_DEC}, {"dpid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } }, + /* PPME_SYSCALL_EXECVE_16_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } }, + /* PPME_SIGNALDELIVER_E */ {"signaldeliver", EC_SIGNAL, EF_DROP_SIMPLE_CONS, 3, {{"spid", PT_PID32, PF_DEC}, {"dpid", PT_PID32, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } }, /* PPME_SIGNALDELIVER_X */ {"signaldeliver", EC_SIGNAL, EF_UNUSED, 0 }, /* PPME_PROCINFO_E */{"procinfo", EC_INTERNAL, EF_SKIPPARSERESET | EF_DROP_SIMPLE_CONS, 2, {{"cpu_usr", PT_UINT64, PF_DEC}, {"cpu_sys", PT_UINT64, PF_DEC} } }, /* PPME_PROCINFO_X */{"NA2", EC_INTERNAL, EF_UNUSED, 0}, - /* PPME_SYSCALL_GETDENTS_E */{"getdents", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD, PF_NA} } }, - /* PPME_SYSCALL_GETDENTS_X */{"getdents", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_GETDENTS64_E */{"getdents64", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD, PF_NA} } }, - /* PPME_SYSCALL_GETDENTS64_X */{"getdents64", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_SETNS_E */ {"setns", EC_PROCESS, EF_USES_FD, 2, {{"fd", PT_FD, PF_NA}, {"nstype", PT_FLAGS32, PF_HEX, clone_flags} } }, - /* PPME_SYSCALL_SETNS_X */ {"setns", EC_PROCESS, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_FLOCK_E */ {"flock", EC_FILE, EF_USES_FD, 2, {{"fd", PT_FD, PF_NA}, {"operation", PT_FLAGS32, PF_HEX, flock_flags} } }, - /* PPME_SYSCALL_FLOCK_X */ {"flock", EC_FILE, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_GETDENTS_E */{"getdents", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD32, PF_NA} } }, + /* PPME_SYSCALL_GETDENTS_X */{"getdents", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_GETDENTS64_E */{"getdents64", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD32, PF_NA} } }, + /* PPME_SYSCALL_GETDENTS64_X */{"getdents64", EC_FILE, EF_USES_FD | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_SETNS_E */ {"setns", EC_PROCESS, EF_USES_FD, 2, {{"fd", PT_FD32, PF_NA}, {"nstype", PT_FLAGS32, PF_HEX, clone_flags} } }, + /* PPME_SYSCALL_SETNS_X */ {"setns", EC_PROCESS, EF_USES_FD, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_FLOCK_E */ {"flock", EC_FILE, EF_USES_FD, 2, {{"fd", PT_FD32, PF_NA}, {"operation", PT_FLAGS32, PF_HEX, flock_flags} } }, + /* PPME_SYSCALL_FLOCK_X */ {"flock", EC_FILE, EF_USES_FD, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_CPU_HOTPLUG_E */ {"cpu_hotplug", EC_SYSTEM, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 2, {{"cpu", PT_UINT32, PF_DEC}, {"action", PT_UINT32, PF_DEC} } }, /* PPME_CPU_HOTPLUG_X */{"NA2", EC_SYSTEM, EF_UNUSED, 0}, /* PPME_SOCKET_ACCEPT_5_E */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 0}, - /* PPME_SOCKET_ACCEPT_5_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } }, + /* PPME_SOCKET_ACCEPT_5_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } }, /* PPME_SOCKET_ACCEPT4_5_E */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_INT32, PF_HEX} } }, - /* PPME_SOCKET_ACCEPT4_5_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } }, + /* PPME_SOCKET_ACCEPT4_5_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } }, /* PPME_SYSCALL_SEMOP_E */ {"semop", EC_PROCESS, EF_DROP_SIMPLE_CONS, 1, {{"semid", PT_INT32, PF_DEC} } }, - /* PPME_SYSCALL_SEMOP_X */ {"semop", EC_PROCESS, EF_DROP_SIMPLE_CONS, 8, {{"res", PT_ERRNO, PF_DEC}, {"nsops", PT_UINT32, PF_DEC}, {"sem_num_0", PT_UINT16, PF_DEC}, {"sem_op_0", PT_INT16, PF_DEC}, {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags}, {"sem_num_1", PT_UINT16, PF_DEC}, {"sem_op_1", PT_INT16, PF_DEC}, {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags} } }, + /* PPME_SYSCALL_SEMOP_X */ {"semop", EC_PROCESS, EF_DROP_SIMPLE_CONS, 8, {{"res", PT_ERRNO32, PF_DEC}, {"nsops", PT_UINT32, PF_DEC}, {"sem_num_0", PT_UINT16, PF_DEC}, {"sem_op_0", PT_INT16, PF_DEC}, {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags}, {"sem_num_1", PT_UINT16, PF_DEC}, {"sem_op_1", PT_INT16, PF_DEC}, {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags} } }, /* PPME_SYSCALL_SEMCTL_E */{"semctl", EC_PROCESS, EF_DROP_SIMPLE_CONS, 4, {{"semid", PT_INT32, PF_DEC}, {"semnum", PT_INT32, PF_DEC}, {"cmd", PT_FLAGS16, PF_HEX, semctl_commands}, {"val", PT_INT32, PF_DEC} } }, - /* PPME_SYSCALL_SEMCTL_X */{"semctl", EC_PROCESS, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_PPOLL_E */{"ppoll", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 3, {{"fds", PT_FDLIST, PF_DEC}, {"timeout", PT_RELTIME, PF_DEC}, {"sigmask", PT_SIGSET, PF_DEC} } }, - /* PPME_SYSCALL_PPOLL_X */{"ppoll", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } }, + /* PPME_SYSCALL_SEMCTL_X */{"semctl", EC_PROCESS, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_PPOLL_E */{"ppoll", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 3, {{"fds", PT_FDLIST32, PF_DEC}, {"timeout", PT_RELTIME, PF_DEC}, {"sigmask", PT_SIGSET, PF_DEC} } }, + /* PPME_SYSCALL_PPOLL_X */{"ppoll", EC_WAIT, EF_WAITS | EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"fds", PT_FDLIST32, PF_DEC} } }, /* PPME_SYSCALL_MOUNT_E */{"mount", EC_FILE, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } }, - /* PPME_SYSCALL_MOUNT_X */{"mount", EC_FILE, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dev", PT_CHARBUF, PF_NA}, {"dir", PT_FSPATH, PF_NA}, {"type", PT_CHARBUF, PF_NA} } }, + /* PPME_SYSCALL_MOUNT_X */{"mount", EC_FILE, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO32, PF_DEC}, {"dev", PT_CHARBUF, PF_NA}, {"dir", PT_FSPATH, PF_NA}, {"type", PT_CHARBUF, PF_NA} } }, /* PPME_SYSCALL_UMOUNT_E */{"umount", EC_FILE, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, - /* PPME_SYSCALL_UMOUNT_X */{"umount", EC_FILE, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_UMOUNT_X */{"umount", EC_FILE, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"name", PT_FSPATH, PF_NA} } }, /* PPME_K8S_E */{"k8s", EC_INTERNAL, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } }, /* PPME_K8S_X */{"NA3", EC_SYSTEM, EF_UNUSED, 0}, /* PPME_SYSCALL_SEMGET_E */{"semget", EC_PROCESS, EF_DROP_SIMPLE_CONS, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } }, - /* PPME_SYSCALL_SEMGET_X */{"semget", EC_PROCESS, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_SEMGET_X */{"semget", EC_PROCESS, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_ACCESS_E */{"access", EC_FILE, EF_DROP_SIMPLE_CONS, 1, {{"mode", PT_FLAGS32, PF_HEX, access_flags} } }, - /* PPME_SYSCALL_ACCESS_X */{"access", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_ACCESS_X */{"access", EC_FILE, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"name", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_CHROOT_E */{"chroot", EC_PROCESS, EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_CHROOT_X */{"chroot", EC_PROCESS, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_CHROOT_X */{"chroot", EC_PROCESS, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, /* PPME_TRACER_E */{"tracer", EC_OTHER, EF_NONE, 3, {{"id", PT_INT64, PF_DEC}, {"tags", PT_CHARBUFARRAY, PF_NA}, {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA} } }, /* PPME_TRACER_X */{ "tracer", EC_OTHER, EF_NONE, 3, { { "id", PT_INT64, PF_DEC }, { "tags", PT_CHARBUFARRAY, PF_NA }, { "args", PT_CHARBUF_PAIR_ARRAY, PF_NA } } }, /* PPME_MESOS_E */{"mesos", EC_INTERNAL, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } }, @@ -287,85 +287,85 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = { /* PPME_CONTAINER_JSON_E */{"container", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"json", PT_CHARBUF, PF_NA} } }, /* PPME_CONTAINER_JSON_X */{"container", EC_PROCESS, EF_UNUSED, 0}, /* PPME_SYSCALL_SETSID_E */{"setsid", EC_PROCESS, EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_SETSID_X */{"setsid", EC_PROCESS, EF_MODIFIES_STATE, 1, {{"res", PT_PID, PF_DEC} } }, + /* PPME_SYSCALL_SETSID_X */{"setsid", EC_PROCESS, EF_MODIFIES_STATE, 1, {{"res", PT_PID32, PF_DEC} } }, /* PPME_SYSCALL_MKDIR_2_E */{"mkdir", EC_FILE, EF_NONE, 1, {{"mode", PT_UINT32, PF_HEX} } }, - /* PPME_SYSCALL_MKDIR_2_X */{"mkdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_MKDIR_2_X */{"mkdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, /* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } }, /* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}, /* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, - /* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }, + /* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }, /* PPME_SYSCALL_UNSHARE_E */ {"unshare", EC_PROCESS, EF_NONE, 1, {{"flags", PT_FLAGS32, PF_HEX, clone_flags} } }, - /* PPME_SYSCALL_UNSHARE_X */ {"unshare", EC_PROCESS, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_UNSHARE_X */ {"unshare", EC_PROCESS, EF_NONE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_INFRASTRUCTURE_EVENT_E */{"infra", EC_INTERNAL, EF_SKIPPARSERESET, 4, {{"source", PT_CHARBUF, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"description", PT_CHARBUF, PF_NA}, {"scope", PT_CHARBUF, PF_NA} } }, /* PPME_INFRASTRUCTURE_EVENT_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}, /* PPME_SYSCALL_EXECVE_18_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"filename", PT_FSPATH, PF_NA} } }, - /* PPME_SYSCALL_EXECVE_18_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }, + /* PPME_SYSCALL_EXECVE_18_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }, /* PPME_PAGE_FAULT_E */ {"page_fault", EC_OTHER, EF_SKIPPARSERESET | EF_DROP_SIMPLE_CONS, 3, {{"addr", PT_UINT64, PF_HEX}, {"ip", PT_UINT64, PF_HEX}, {"error", PT_FLAGS32, PF_HEX, pf_flags} } }, /* PPME_PAGE_FAULT_X */ {"NA5", EC_OTHER, EF_UNUSED, 0}, /* PPME_SYSCALL_EXECVE_19_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 1, {{"filename", PT_FSPATH, PF_NA} } }, - /* PPME_SYSCALL_EXECVE_19_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 23, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC}, {"pgid", PT_PID, PF_DEC}, {"loginuid", PT_INT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, execve_flags}, {"cap_inheritable", PT_UINT64, PF_HEX}, {"cap_permitted", PT_UINT64, PF_HEX}, {"cap_effective", PT_UINT64, PF_HEX} } }, - /* PPME_SYSCALL_SETPGID_E */{"setpgid", EC_PROCESS, EF_MODIFIES_STATE, 2, {{"pid", PT_PID, PF_DEC}, {"pgid", PT_PID, PF_DEC} } }, - /* PPME_SYSCALL_SETPGID_X */{"setpgid", EC_PROCESS, EF_MODIFIES_STATE, 1, {{"res", PT_PID, PF_DEC} } }, + /* PPME_SYSCALL_EXECVE_19_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 23, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC}, {"pgid", PT_PID32, PF_DEC}, {"loginuid", PT_INT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, execve_flags}, {"cap_inheritable", PT_UINT64, PF_HEX}, {"cap_permitted", PT_UINT64, PF_HEX}, {"cap_effective", PT_UINT64, PF_HEX} } }, + /* PPME_SYSCALL_SETPGID_E */{"setpgid", EC_PROCESS, EF_MODIFIES_STATE, 2, {{"pid", PT_PID32, PF_DEC}, {"pgid", PT_PID32, PF_DEC} } }, + /* PPME_SYSCALL_SETPGID_X */{"setpgid", EC_PROCESS, EF_MODIFIES_STATE, 1, {{"res", PT_PID32, PF_DEC} } }, /* PPME_SYSCALL_BPF_E */{"bpf", EC_OTHER, EF_CREATES_FD, 1, {{"cmd", PT_INT64, PF_DEC} } }, /* PPME_SYSCALL_BPF_X */{"bpf", EC_OTHER, EF_CREATES_FD, 1, {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX} } }, /* PPME_SYSCALL_SECCOMP_E */{"seccomp", EC_OTHER, EF_NONE, 1, {{"op", PT_UINT64, PF_DEC}, {"flags", PT_UINT64, PF_HEX} } }, - /* PPME_SYSCALL_SECCOMP_X */{"seccomp", EC_OTHER, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_SECCOMP_X */{"seccomp", EC_OTHER, EF_NONE, 1, {{"res", PT_ERRNO32, PF_DEC} } }, /* PPME_SYSCALL_UNLINK_2_E */{"unlink", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_UNLINK_2_X */{"unlink", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_UNLINK_2_X */{"unlink", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_UNLINKAT_2_E */{"unlinkat", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_UNLINKAT_2_X */{"unlinkat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, unlinkat_flags} } }, + /* PPME_SYSCALL_UNLINKAT_2_X */{"unlinkat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO32, PF_DEC}, {"dirfd", PT_FD32, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, unlinkat_flags} } }, /* PPME_SYSCALL_MKDIRAT_E */{"mkdirat", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_MKDIRAT_X */{"mkdirat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"mode", PT_UINT32, PF_HEX} } }, - /* PPME_SYSCALL_OPENAT_2_E */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } }, - /* PPME_SYSCALL_OPENAT_2_X */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_MKDIRAT_X */{"mkdirat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO32, PF_DEC}, {"dirfd", PT_FD32, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"mode", PT_UINT32, PF_HEX} } }, + /* PPME_SYSCALL_OPENAT_2_E */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"dirfd", PT_FD32, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } }, + /* PPME_SYSCALL_OPENAT_2_X */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD32, PF_DEC}, {"dirfd", PT_FD32, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, /* PPME_SYSCALL_LINK_2_E */{"link", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_LINK_2_X */{"link", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_LINK_2_X */{"link", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO32, PF_DEC}, {"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_LINKAT_2_E */{"linkat", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_LINKAT_2_X */{"linkat", EC_FILE, EF_NONE, 6, {{"res", PT_ERRNO, PF_DEC}, {"olddir", PT_FD, PF_DEC}, {"oldpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"newdir", PT_FD, PF_DEC}, {"newpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(3)}, {"flags", PT_FLAGS32, PF_HEX, linkat_flags} } }, + /* PPME_SYSCALL_LINKAT_2_X */{"linkat", EC_FILE, EF_NONE, 6, {{"res", PT_ERRNO32, PF_DEC}, {"olddir", PT_FD32, PF_DEC}, {"oldpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"newdir", PT_FD32, PF_DEC}, {"newpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(3)}, {"flags", PT_FLAGS32, PF_HEX, linkat_flags} } }, /* PPME_SYSCALL_FCHMODAT_E */{"fchmodat", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_FCHMODAT_X */{"fchmodat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"filename", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"mode", PT_MODE, PF_OCT, chmod_mode} } }, + /* PPME_SYSCALL_FCHMODAT_X */{"fchmodat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO32, PF_DEC}, {"dirfd", PT_FD32, PF_DEC}, {"filename", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"mode", PT_MODE, PF_OCT, chmod_mode} } }, /* PPME_SYSCALL_CHMOD_E */{"chmod", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_CHMOD_X */{"chmod", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"filename", PT_FSPATH, PF_NA}, {"mode", PT_MODE, PF_OCT, chmod_mode} } }, + /* PPME_SYSCALL_CHMOD_X */{"chmod", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO32, PF_DEC}, {"filename", PT_FSPATH, PF_NA}, {"mode", PT_MODE, PF_OCT, chmod_mode} } }, /* PPME_SYSCALL_FCHMOD_E */{"fchmod", EC_FILE, EF_NONE, 0}, - /* PPME_SYSCALL_FCHMOD_X */{"fchmod", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"mode", PT_MODE, PF_OCT, chmod_mode} } }, + /* PPME_SYSCALL_FCHMOD_X */{"fchmod", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO32, PF_DEC}, {"fd", PT_FD32, PF_DEC}, {"mode", PT_MODE, PF_OCT, chmod_mode} } }, /* PPME_SYSCALL_RENAMEAT2_E */{"renameat2", EC_FILE, EF_NONE, 0 }, - /* PPME_SYSCALL_RENAMEAT2_X */{"renameat2", EC_FILE, EF_NONE, 6, {{"res", PT_ERRNO, PF_DEC}, {"olddirfd", PT_FD, PF_DEC}, {"oldpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"newdirfd", PT_FD, PF_DEC}, {"newpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(3)}, {"flags", PT_FLAGS32, PF_HEX, renameat2_flags} } }, + /* PPME_SYSCALL_RENAMEAT2_X */{"renameat2", EC_FILE, EF_NONE, 6, {{"res", PT_ERRNO32, PF_DEC}, {"olddirfd", PT_FD32, PF_DEC}, {"oldpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"newdirfd", PT_FD32, PF_DEC}, {"newpath", PT_FSRELPATH, PF_NA, DIRFD_PARAM(3)}, {"flags", PT_FLAGS32, PF_HEX, renameat2_flags} } }, /* PPME_SYSCALL_USERFAULTFD_E */{"userfaultfd", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_USERFAULTFD_X */{"userfaultfd", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags} } }, + /* PPME_SYSCALL_USERFAULTFD_X */{"userfaultfd", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags} } }, /* PPME_PLUGINEVENT_E */{"pluginevent", EC_OTHER, EF_LARGE_PAYLOAD, 2, {{"plugin ID", PT_UINT32, PF_DEC}, {"event_data", PT_BYTEBUF, PF_NA} } }, /* PPME_NA1 */{"pluginevent", EC_OTHER, EF_UNUSED, 0}, /* PPME_CONTAINER_JSON_2_E */{"container", EC_PROCESS, EF_MODIFIES_STATE | EF_LARGE_PAYLOAD, 1, {{"json", PT_CHARBUF, PF_NA} } }, /* PPME_CONTAINER_JSON_2_X */{"container", EC_PROCESS, EF_UNUSED, 0}, - /* PPME_SYSCALL_OPENAT2_E */{"openat2", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } }, - /* PPME_SYSCALL_OPENAT2_X */{"openat2", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } }, + /* PPME_SYSCALL_OPENAT2_E */{"openat2", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"dirfd", PT_FD32, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } }, + /* PPME_SYSCALL_OPENAT2_X */{"openat2", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD32, PF_DEC}, {"dirfd", PT_FD32, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } }, /* PPME_SYSCALL_MPROTECT_E */{"mprotect", EC_MEMORY, EF_DROP_SIMPLE_CONS, 3, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags} } }, - /* PPME_SYSCALL_MPROTECT_X */{"mprotect", EC_MEMORY, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } }, - /* PPME_SYSCALL_EXECVEAT_E */{"execveat", EC_PROCESS, EF_MODIFIES_STATE, 3, {{"dirfd", PT_FD, PF_DEC}, {"pathname", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, execveat_flags} } }, - /* PPME_SYSCALL_EXECVEAT_X */{"execveat", EC_PROCESS, EF_MODIFIES_STATE, 23, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC}, {"pgid", PT_PID, PF_DEC}, {"loginuid", PT_INT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, execve_flags}, {"cap_inheritable", PT_UINT64, PF_HEX}, {"cap_permitted", PT_UINT64, PF_HEX}, {"cap_effective", PT_UINT64, PF_HEX} } }, - /* PPME_SYSCALL_COPY_FILE_RANGE_E */{"copy_file_range", EC_FILE, EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD, 3, {{"fdin", PT_FD, PF_DEC}, {"offin", PT_UINT64, PF_DEC}, {"len", PT_UINT64, PF_DEC} } }, - /* PPME_SYSCALL_COPY_FILE_RANGE_X */{"copy_file_range", EC_FILE, EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD, 3, {{"res", PT_ERRNO, PF_DEC}, {"fdout", PT_FD, PF_DEC}, {"offout", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_MPROTECT_X */{"mprotect", EC_MEMORY, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC} } }, + /* PPME_SYSCALL_EXECVEAT_E */{"execveat", EC_PROCESS, EF_MODIFIES_STATE, 3, {{"dirfd", PT_FD32, PF_DEC}, {"pathname", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, execveat_flags} } }, + /* PPME_SYSCALL_EXECVEAT_X */{"execveat", EC_PROCESS, EF_MODIFIES_STATE, 23, {{"res", PT_ERRNO32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC}, {"pgid", PT_PID32, PF_DEC}, {"loginuid", PT_INT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, execve_flags}, {"cap_inheritable", PT_UINT64, PF_HEX}, {"cap_permitted", PT_UINT64, PF_HEX}, {"cap_effective", PT_UINT64, PF_HEX} } }, + /* PPME_SYSCALL_COPY_FILE_RANGE_E */{"copy_file_range", EC_FILE, EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD, 3, {{"fdin", PT_FD32, PF_DEC}, {"offin", PT_UINT64, PF_DEC}, {"len", PT_UINT64, PF_DEC} } }, + /* PPME_SYSCALL_COPY_FILE_RANGE_X */{"copy_file_range", EC_FILE, EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD, 3, {{"res", PT_ERRNO32, PF_DEC}, {"fdout", PT_FD32, PF_DEC}, {"offout", PT_UINT64, PF_DEC} } }, /* PPME_SYSCALL_CLONE3_E */{"clone3", EC_PROCESS, EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_CLONE3_X */{"clone3", EC_PROCESS, EF_MODIFIES_STATE, 20, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID, PF_DEC}, {"vpid", PT_PID, PF_DEC} } }, + /* PPME_SYSCALL_CLONE3_X */{"clone3", EC_PROCESS, EF_MODIFIES_STATE, 20, {{"res", PT_PID32, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID32, PF_DEC}, {"pid", PT_PID32, PF_DEC}, {"ptid", PT_PID32, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID32, PF_DEC}, {"vpid", PT_PID32, PF_DEC} } }, /* PPME_SYSCALL_OPEN_BY_HANDLE_AT_E */{"open_by_handle_at", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_OPEN_BY_HANDLE_AT_X */{"open_by_handle_at", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"fd", PT_FD, PF_DEC}, {"mountfd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"path", PT_FSPATH, PF_NA} } }, + /* PPME_SYSCALL_OPEN_BY_HANDLE_AT_X */{"open_by_handle_at", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"fd", PT_FD32, PF_DEC}, {"mountfd", PT_FD32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"path", PT_FSPATH, PF_NA} } }, /* PPME_SYSCALL_IO_URING_SETUP_E */ {"io_uring_setup", EC_IO_OTHER, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_IO_URING_SETUP_X */ {"io_uring_setup", EC_IO_OTHER, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 8, {{"res", PT_ERRNO, PF_DEC}, {"entries", PT_UINT32, PF_DEC}, {"sq_entries", PT_UINT32, PF_DEC},{"cq_entries", PT_UINT32, PF_DEC},{"flags", PT_FLAGS32, PF_HEX, io_uring_setup_flags},{"sq_thread_cpu", PT_UINT32, PF_DEC}, {"sq_thread_idle", PT_UINT32, PF_DEC},{"features", PT_FLAGS32, PF_HEX, io_uring_setup_feats}}}, + /* PPME_SYSCALL_IO_URING_SETUP_X */ {"io_uring_setup", EC_IO_OTHER, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 8, {{"res", PT_ERRNO32, PF_DEC}, {"entries", PT_UINT32, PF_DEC}, {"sq_entries", PT_UINT32, PF_DEC},{"cq_entries", PT_UINT32, PF_DEC},{"flags", PT_FLAGS32, PF_HEX, io_uring_setup_flags},{"sq_thread_cpu", PT_UINT32, PF_DEC}, {"sq_thread_idle", PT_UINT32, PF_DEC},{"features", PT_FLAGS32, PF_HEX, io_uring_setup_feats}}}, /* PPME_SYSCALL_IO_URING_ENTER_E */ {"io_uring_enter", EC_IO_OTHER, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_IO_URING_ENTER_X */ {"io_uring_enter", EC_IO_OTHER, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 6, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"to_submit", PT_UINT32, PF_DEC}, {"min_complete", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, io_uring_enter_flags}, {"sig", PT_SIGSET, PF_DEC}}}, + /* PPME_SYSCALL_IO_URING_ENTER_X */ {"io_uring_enter", EC_IO_OTHER, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_SIMPLE_CONS, 6, {{"res", PT_ERRNO32, PF_DEC}, {"fd", PT_FD32, PF_DEC}, {"to_submit", PT_UINT32, PF_DEC}, {"min_complete", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, io_uring_enter_flags}, {"sig", PT_SIGSET, PF_DEC}}}, /* PPME_SYSCALL_IO_URING_REGISTER_E */ {"io_uring_register", EC_IO_OTHER, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_TO_URING_REGISTER_X */ {"io_uring_register", EC_IO_OTHER, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 5, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC }, {"opcode", PT_ENUMFLAGS16, PF_DEC, io_uring_register_opcodes}, {"arg", PT_UINT64, PF_HEX}, {"nr_args", PT_UINT32, PF_DEC}}}, + /* PPME_SYSCALL_TO_URING_REGISTER_X */ {"io_uring_register", EC_IO_OTHER, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 5, {{"res", PT_ERRNO32, PF_DEC}, {"fd", PT_FD32, PF_DEC }, {"opcode", PT_ENUMFLAGS16, PF_DEC, io_uring_register_opcodes}, {"arg", PT_UINT64, PF_HEX}, {"nr_args", PT_UINT32, PF_DEC}}}, /* PPME_SYSCALL_MLOCK_E */ {"mlock", EC_MEMORY, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_MLOCK_X */ {"mlock", EC_MEMORY, EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}}}, + /* PPME_SYSCALL_MLOCK_X */ {"mlock", EC_MEMORY, EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO32, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}}}, /* PPME_SYSCALL_MUNLOCK_E */ {"munlock", EC_MEMORY, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_MUNLOCK_X */ {"munlock", EC_MEMORY, EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}}}, + /* PPME_SYSCALL_MUNLOCK_X */ {"munlock", EC_MEMORY, EF_DROP_SIMPLE_CONS, 3, {{"res", PT_ERRNO32, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}}}, /* PPME_SYSCALL_MLOCKALL_E */ {"mlockall", EC_MEMORY, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_MLOCKALL_X */ {"mlockall", EC_MEMORY, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, mlockall_flags}}}, + /* PPME_SYSCALL_MLOCKALL_X */ {"mlockall", EC_MEMORY, EF_DROP_SIMPLE_CONS, 2, {{"res", PT_ERRNO32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, mlockall_flags}}}, /* PPME_SYSCALL_MUNLOCKALL_E */ {"munlockall", EC_MEMORY, EF_DROP_SIMPLE_CONS, 0}, - /* PPME_SYSCALL_MUNLOCKALL_X */ {"munlockall", EC_MEMORY, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC}}}, + /* PPME_SYSCALL_MUNLOCKALL_X */ {"munlockall", EC_MEMORY, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO32, PF_DEC}}}, /* PPME_SYSCALL_CAPSET_E */{"capset", EC_PROCESS, EF_MODIFIES_STATE, 0}, - /* PPME_SYSCALL_CAPSET_X */{"capset", EC_PROCESS, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"cap_inheritable", PT_UINT64, PF_HEX}, {"cap_permitted", PT_UINT64, PF_HEX}, {"cap_effective", PT_UINT64, PF_HEX} } }, + /* PPME_SYSCALL_CAPSET_X */{"capset", EC_PROCESS, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO32, PF_DEC}, {"cap_inheritable", PT_UINT64, PF_HEX}, {"cap_permitted", PT_UINT64, PF_HEX}, {"cap_effective", PT_UINT64, PF_HEX} } }, /* PPME_USER_ADDED_E */{"useradded", EC_PROCESS, EF_MODIFIES_STATE, 6, {{"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"home", PT_CHARBUF, PF_NA}, {"shell", PT_CHARBUF, PF_NA}, {"container_id", PT_CHARBUF, PF_NA} } }, /* PPME_USER_ADDED_X */{"useradded", EC_PROCESS, EF_UNUSED, 0}, /* PPME_USER_DELETED_E */{"userdeleted", EC_PROCESS, EF_MODIFIES_STATE, 6, {{"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"home", PT_CHARBUF, PF_NA}, {"shell", PT_CHARBUF, PF_NA}, {"container_id", PT_CHARBUF, PF_NA} } }, @@ -374,12 +374,12 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = { /* PPME_GROUP_ADDED_X */{"groupadded", EC_PROCESS, EF_UNUSED, 0}, /* PPME_GROUP_DELETED_E */{"groupdeleted", EC_PROCESS, EF_MODIFIES_STATE, 3, {{"gid", PT_UINT32, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"container_id", PT_CHARBUF, PF_NA} } }, /* PPME_GROUP_DELETED_X */{"groupdeleted", EC_PROCESS, EF_UNUSED, 0}, - /* PPME_SYSCALL_DUP2_E */{"dup2", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_DUP2_X */{"dup2", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 3, {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC}, {"newfd", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_DUP3_E */{"dup3", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_DUP3_X */{"dup3", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 4, {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC}, {"newfd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags} } }, - /* PPME_SYSCALL_DUP_1_E */{"dup", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } }, - /* PPME_SYSCALL_DUP_1_X */{"dup", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC} } }, + /* PPME_SYSCALL_DUP2_E */{"dup2", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_DUP2_X */{"dup2", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 3, {{"res", PT_FD32, PF_DEC}, {"oldfd", PT_FD32, PF_DEC}, {"newfd", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_DUP3_E */{"dup3", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_DUP3_X */{"dup3", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 4, {{"res", PT_FD32, PF_DEC}, {"oldfd", PT_FD32, PF_DEC}, {"newfd", PT_FD32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags} } }, + /* PPME_SYSCALL_DUP_1_E */{"dup", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD32, PF_DEC} } }, + /* PPME_SYSCALL_DUP_1_X */{"dup", EC_IO_OTHER, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD32, PF_DEC}, {"oldfd", PT_FD32, PF_DEC} } }, /* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters. * New event types are allowed only for new syscalls or new internal events. * The number of parameters can be used to differentiate between event versions. diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c index 226c13059b..44b9e56f13 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c @@ -53,8 +53,8 @@ int BPF_PROG(chmod_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: res (type: PT_ERRNO32) */ + auxmap__store_s32_param(auxmap, (s32)ret); /* Parameter 2: filename (type: PT_FSPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c index 42fa6ba4e3..ff91792b39 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c @@ -53,8 +53,8 @@ int BPF_PROG(chroot_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: res (type: PT_ERRNO32) */ + auxmap__store_s32_param(auxmap, (s32)ret); /* Parameter 2: path (type: PT_FSPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c index 1d519958e5..6b79f2454f 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c @@ -24,9 +24,9 @@ int BPF_PROG(close_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD)*/ + /* Parameter 1: fd (type: PT_FD32)*/ s32 fd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)fd); + ringbuf__store_s32(&ringbuf, fd); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -54,8 +54,8 @@ int BPF_PROG(close_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ - ringbuf__store_s64(&ringbuf, ret); + /* Parameter 1: res (type: PT_ERRNO32)*/ + ringbuf__store_s32(&ringbuf, (s32)ret); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c index 37f4dc8fae..0b4162d361 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c @@ -24,9 +24,9 @@ int BPF_PROG(copy_file_range_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: fdin (type: PT_FD) */ + /* Parameter 1: fdin (type: PT_FD32) */ s32 fdin = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)fdin); + ringbuf__store_s32(&ringbuf, fdin); /* Parameter 2: offin (type: PT_UINT64) */ u64 offin = extract__syscall_argument(regs, 1); @@ -62,12 +62,12 @@ int BPF_PROG(copy_file_range_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ - ringbuf__store_s64(&ringbuf, ret); + /* Parameter 1: res (type: PT_ERRNO32)*/ + ringbuf__store_s32(&ringbuf, (s32)ret); - /* Parameter 2: fdout (type: PT_FD) */ + /* Parameter 2: fdout (type: PT_FD32) */ s32 fdout = (s32)extract__syscall_argument(regs, 2); - ringbuf__store_s64(&ringbuf, (s64)fdout); + ringbuf__store_s32(&ringbuf, fdout); /* Parameter 3: offout (type: PT_UINT64) */ u64 offout = extract__syscall_argument(regs, 3); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c index 36f892be30..37086645cf 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c @@ -60,8 +60,8 @@ int BPF_PROG(creat_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: fd (type: PT_FD32) */ + auxmap__store_s32_param(auxmap, (s32)ret); /* Parameter 2: name (type: PT_FSPATH) */ unsigned long name_pointer = extract__syscall_argument(regs, 0); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c index 889bb0fa57..0639981438 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c @@ -24,9 +24,9 @@ int BPF_PROG(dup_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: oldfd (type: PT_FD) */ + /* Parameter 1: oldfd (type: PT_FD32) */ s32 oldfd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)oldfd); + ringbuf__store_s32(&ringbuf, oldfd); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -54,12 +54,12 @@ int BPF_PROG(dup_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_FD)*/ - ringbuf__store_s64(&ringbuf, ret); + /* Parameter 1: res (type: PT_FD32)*/ + ringbuf__store_s32(&ringbuf, (s32)ret); - /* Parameter 2: oldfd (type: PT_FD) */ + /* Parameter 2: oldfd (type: PT_FD32) */ s32 oldfd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)oldfd); + ringbuf__store_s32(&ringbuf, (oldfd)); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c index caf0b9af2a..3cbd31757d 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c @@ -24,9 +24,9 @@ int BPF_PROG(dup2_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: oldfd (type: PT_FD) */ + /* Parameter 1: oldfd (type: PT_FD32) */ s32 oldfd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)oldfd); + ringbuf__store_s32(&ringbuf, oldfd); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -54,16 +54,16 @@ int BPF_PROG(dup2_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_FD)*/ - ringbuf__store_s64(&ringbuf, ret); + /* Parameter 1: res (type: PT_FD32)*/ + ringbuf__store_s32(&ringbuf, (s32)ret); - /* Parameter 2: oldfd (type: PT_FD) */ + /* Parameter 2: oldfd (type: PT_FD32) */ s32 oldfd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)oldfd); + ringbuf__store_s64(&ringbuf, oldfd); - /* Parameter 3: newfd (type: PT_FD) */ + /* Parameter 3: newfd (type: PT_FD32) */ s32 newfd = (s32)extract__syscall_argument(regs, 1); - ringbuf__store_s64(&ringbuf, (s64)newfd); + ringbuf__store_s64(&ringbuf, newfd); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c index e41d9307b9..16179114f4 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c @@ -24,9 +24,9 @@ int BPF_PROG(dup3_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: oldfd (type: PT_FD) */ + /* Parameter 1: oldfd (type: PT_FD32) */ s32 oldfd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)oldfd); + ringbuf__store_s32(&ringbuf, oldfd); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -54,16 +54,16 @@ int BPF_PROG(dup3_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_FD)*/ - ringbuf__store_s64(&ringbuf, ret); + /* Parameter 1: res (type: PT_FD32)*/ + ringbuf__store_s32(&ringbuf, (s32)ret); - /* Parameter 2: oldfd (type: PT_FD) */ + /* Parameter 2: oldfd (type: PT_FD32) */ s32 oldfd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)oldfd); + ringbuf__store_s32(&ringbuf, oldfd); - /* Parameter 3: newfd (type: PT_FD) */ + /* Parameter 3: newfd (type: PT_FD32) */ s32 newfd = (s32)extract__syscall_argument(regs, 1); - ringbuf__store_s64(&ringbuf, (s64)newfd); + ringbuf__store_s32(&ringbuf, newfd); /* Parameter 4: flags (type: PT_FLAGS32) */ unsigned long flags = extract__syscall_argument(regs, 2); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c index a680ef03fa..1f7db4bc68 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c @@ -24,9 +24,9 @@ int BPF_PROG(fchdir_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ + /* Parameter 1: fd (type: PT_FD32) */ s32 fd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)fd); + ringbuf__store_s32(&ringbuf, fd); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -54,8 +54,8 @@ int BPF_PROG(fchdir_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ - ringbuf__store_s64(&ringbuf, ret); + /* Parameter 1: res (type: PT_ERRNO32)*/ + ringbuf__store_s32(&ringbuf, (s32)ret); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmod.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmod.bpf.c index 7d17226a37..dd453fa80d 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmod.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmod.bpf.c @@ -53,12 +53,12 @@ int BPF_PROG(fchmod_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - ringbuf__store_s64(&ringbuf, ret); + /* Parameter 1: res (type: PT_ERRNO32) */ + ringbuf__store_s32(&ringbuf, (s32)ret); - /* Parameter 2: fd (type: PT_FD) */ + /* Parameter 2: fd (type: PT_FD32) */ s32 fd = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)fd); + ringbuf__store_s32(&ringbuf, fd); /* Parameter 3: mode (type: PT_MODE) */ unsigned long mode = extract__syscall_argument(regs, 1); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c index 2551109e07..09479f12b0 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c @@ -53,16 +53,16 @@ int BPF_PROG(fchmodat_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: res (type: PT_ERRNO32) */ + auxmap__store_s32_param(auxmap, (s32)ret); - /* Parameter 2: dirfd (type: PT_FD) */ + /* Parameter 2: dirfd (type: PT_FD32) */ s32 dirfd = (s32)extract__syscall_argument(regs, 0); if(dirfd == AT_FDCWD) { dirfd = PPM_AT_FDCWD; } - auxmap__store_s64_param(auxmap, (s64)dirfd); + auxmap__store_s32_param(auxmap, dirfd); /* Parameter 3: filename (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c index 9ef5864022..2d13a91d6f 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c @@ -55,8 +55,8 @@ int BPF_PROG(mkdir_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: res (type: PT_ERRNO32) */ + auxmap__store_s32_param(auxmap, (s32)ret); /* Parameter 2: path (type: PT_FSPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdirat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdirat.bpf.c index 2366eb69a0..e518472b67 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdirat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdirat.bpf.c @@ -53,16 +53,16 @@ int BPF_PROG(mkdirat_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: res (type: PT_ERRNO32) */ + auxmap__store_s32_param(auxmap, (s32)ret); - /* Parameter 2: dirfd (type: PT_FD) */ + /* Parameter 2: dirfd (type: PT_FD32) */ s32 dirfd = (s32)extract__syscall_argument(regs, 0); if(dirfd == AT_FDCWD) { dirfd = PPM_AT_FDCWD; } - auxmap__store_s64_param(auxmap, (s64)dirfd); + auxmap__store_s32_param(auxmap, dirfd); /* Parameter 3: path (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c index ea12c15190..7044302168 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c @@ -64,8 +64,8 @@ int BPF_PROG(open_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: ret (type: PT_FD) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: ret (type: PT_FD32) */ + auxmap__store_s32_param(auxmap, (s32)ret); /* Parameter 2: name (type: PT_FSPATH) */ unsigned long name_pointer = extract__syscall_argument(regs, 0); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c index 0b6c8bd77e..378c9b0786 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c @@ -53,16 +53,16 @@ int BPF_PROG(open_by_handle_at_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: ret (type: PT_FD) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: ret (type: PT_FD32) */ + auxmap__store_s32_param(auxmap, (s32)ret); - /* Parameter 2: mountfd (type: PT_FD) */ + /* Parameter 2: mountfd (type: PT_FD32) */ s32 mountfd = (s32)extract__syscall_argument(regs, 0); if(mountfd == AT_FDCWD) { mountfd = PPM_AT_FDCWD; } - auxmap__store_s64_param(auxmap, (s64)mountfd); + auxmap__store_s32_param(auxmap, mountfd); /* Parameter 3: flags (type: PT_FLAGS32) */ u32 flags = (u32)extract__syscall_argument(regs, 2); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c index b794af720f..fc57e66062 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c @@ -24,13 +24,13 @@ int BPF_PROG(openat_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: dirfd (type: PT_FD) */ + /* Parameter 1: dirfd (type: PT_FD32) */ s32 dirfd = (s32)extract__syscall_argument(regs, 0); if(dirfd == AT_FDCWD) { dirfd = PPM_AT_FDCWD; } - auxmap__store_s64_param(auxmap, (s64)dirfd); + auxmap__store_s32_param(auxmap, dirfd); /* Parameter 2: name (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); @@ -72,16 +72,16 @@ int BPF_PROG(openat_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: fd (type: PT_FD32) */ + auxmap__store_s32_param(auxmap, (s32)ret); - /* Parameter 2: dirfd (type: PT_FD) */ + /* Parameter 2: dirfd (type: PT_FD32) */ s32 dirfd = (s32)extract__syscall_argument(regs, 0); if(dirfd == AT_FDCWD) { dirfd = PPM_AT_FDCWD; } - auxmap__store_s64_param(auxmap, (s64)dirfd); + auxmap__store_s32_param(auxmap, dirfd); /* Parameter 3: name (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c index 63d34c1a8e..3c2add0b41 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c @@ -24,13 +24,13 @@ int BPF_PROG(openat2_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: dirfd (type: PT_FD) */ + /* Parameter 1: dirfd (type: PT_FD32) */ s32 dirfd = (s32)extract__syscall_argument(regs, 0); if(dirfd == AT_FDCWD) { dirfd = PPM_AT_FDCWD; } - auxmap__store_s64_param(auxmap, (s64)dirfd); + auxmap__store_s32_param(auxmap, dirfd); /* Parameter 2: name (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); @@ -78,16 +78,16 @@ int BPF_PROG(openat2_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: fd (type: PT_FD32) */ + auxmap__store_s32_param(auxmap, (int32_t)ret); - /* Parameter 2: dirfd (type: PT_FD) */ + /* Parameter 2: dirfd (type: PT_FD32) */ s32 dirfd = (s32)extract__syscall_argument(regs, 0); if(dirfd == AT_FDCWD) { dirfd = PPM_AT_FDCWD; } - auxmap__store_s64_param(auxmap, (s64)dirfd); + auxmap__store_s32_param(auxmap, dirfd); /* Parameter 3: name (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c index 3106baa66c..07810cbe86 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c @@ -53,8 +53,8 @@ int BPF_PROG(rmdir_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - auxmap__store_s64_param(auxmap, ret); + /* Parameter 1: res (type: PT_ERRNO32) */ + auxmap__store_s32_param(auxmap, (s32)ret); /* Parameter 2: path (type: PT_CHARBUF) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); diff --git a/driver/ppm_events.c b/driver/ppm_events.c index 4a934df95a..562d4da055 100644 --- a/driver/ppm_events.c +++ b/driver/ppm_events.c @@ -732,6 +732,7 @@ int val_to_ring(struct event_filler_arguments *args, uint64_t val, u32 val_len, case PT_SOCKADDR: case PT_SOCKTUPLE: case PT_FDLIST: + case PT_FDLIST32: if (likely(val != 0)) { if (unlikely(val_len >= max_arg_size)) return PPM_FAILURE_BUFFER_FULL; @@ -828,6 +829,9 @@ int val_to_ring(struct event_filler_arguments *args, uint64_t val, u32 val_len, break; case PT_INT32: + case PT_ERRNO32: + case PT_FD32: + case PT_PID32: if (likely(max_arg_size >= sizeof(s32))) { *(s32 *)(args->buffer + args->arg_data_offset) = (s32)(long)val; len = sizeof(s32); diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 3276cf4410..5c54a246f8 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -408,7 +408,8 @@ or GPL2.txt for full copies of the license. #define PPM_SOCKOPT_IDX_UINT32 2 #define PPM_SOCKOPT_IDX_UINT64 3 #define PPM_SOCKOPT_IDX_TIMEVAL 4 -#define PPM_SOCKOPT_IDX_MAX 5 +#define PPM_SOCKOPT_IDX_ERRNO32 5 +#define PPM_SOCKOPT_IDX_MAX 6 /* * ptrace requests @@ -463,8 +464,9 @@ or GPL2.txt for full copies of the license. #define PPM_BPF_IDX_FD 0 #define PPM_BPF_IDX_RES 1 - -#define PPM_BPF_IDX_MAX 2 +#define PPM_BPF_IDX_FD32 3 +#define PPM_BPF_IDX_RES32 4 +#define PPM_BPF_IDX_MAX 5 /* * memory protection flags @@ -1595,7 +1597,11 @@ enum ppm_param_type { PT_ENUMFLAGS8 = 44, /* this is an UINT8, but will be interpreted as an enum flag, ie: contiguous values flag. */ PT_ENUMFLAGS16 = 45, /* this is an UINT16, but will be interpreted as an enum flag, ie: contiguous values flag. */ PT_ENUMFLAGS32 = 46, /* this is an UINT32, but will be interpreted as an enum flag, ie: contiguous values flag. */ - PT_MAX = 47 /* array size */ + PT_FD32 = 47, /* An fd, 32bit */ + PT_PID32 = 48, /* A pid/tid, 32bit */ + PT_ERRNO32 = 49, /* this is an INT32, but will be interpreted as an error code */ + PT_FDLIST32 = 50, /* A list of fds, 16bit count + count * (32bit fd + 16bit flags) */ + PT_MAX = 51 /* array size */ }; enum ppm_print_format { diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index f04ca8f1d8..470338f74a 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -1743,7 +1743,7 @@ static int parse_sockopt(struct event_filler_arguments *args, int level, int opt case SO_ERROR: if (unlikely(ppm_copy_from_user(&u.val32, optval, sizeof(u.val32)))) return PPM_FAILURE_INVALID_USER_MEMORY; - return val_to_ring(args, -(int)u.val32, 0, false, PPM_SOCKOPT_IDX_ERRNO); + return val_to_ring(args, -(int)u.val32, 0, false, PPM_SOCKOPT_IDX_ERRNO32); #endif #ifdef SO_RCVTIMEO @@ -6113,16 +6113,16 @@ int f_sys_access_e(struct event_filler_arguments *args) int f_sys_bpf_x(struct event_filler_arguments *args) { - int64_t retval; + int32_t retval; unsigned long cmd; int res; /* * res, if failure or depending on cmd */ - retval = (int64_t)(long)syscall_get_return_value(current, args->regs); + retval = (int32_t)syscall_get_return_value(current, args->regs); if (retval < 0) { - res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_RES); + res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_RES32); if (unlikely(res != PPM_SUCCESS)) return res; @@ -6142,11 +6142,11 @@ int f_sys_bpf_x(struct event_filler_arguments *args) #endif #endif /* UDIG */ { - res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_FD); + res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_FD32); } else { - res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_RES); + res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_RES32); } if (unlikely(res != PPM_SUCCESS)) return res; @@ -6360,7 +6360,7 @@ int f_sched_prog_exec(struct event_filler_arguments *args) const struct cred *cred = NULL; - /* Parameter 1: res (type: PT_ERRNO) */ + /* Parameter 1: res (type: PT_ERRNO32) */ /* Please note: if this filler is called the execve is correctly * performed, so the return value will be always 0. */ @@ -6429,27 +6429,27 @@ int f_sched_prog_exec(struct event_filler_arguments *args) return res; } - /* Parameter 4: tid (type: PT_PID) */ - res = val_to_ring(args, (int64_t)current->pid, 0, false, 0); + /* Parameter 4: tid (type: PT_PID32) */ + res = val_to_ring(args, current->pid, 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { return res; } - /* Parameter 5: pid (type: PT_PID) */ - res = val_to_ring(args, (int64_t)current->tgid, 0, false, 0); + /* Parameter 5: pid (type: PT_PID32) */ + res = val_to_ring(args, current->tgid, 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { return res; } - /* Parameter 6: ptid (type: PT_PID) */ + /* Parameter 6: ptid (type: PT_PID32) */ if(current->real_parent) { ptid = current->real_parent->pid; } - res = val_to_ring(args, (int64_t)ptid, 0, false, 0); + res = val_to_ring(args, ptid, 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { return res; @@ -6569,8 +6569,8 @@ int f_sched_prog_exec(struct event_filler_arguments *args) return res; } - /* Parameter 18: pgid (type: PT_PID) */ - res = val_to_ring(args, (int64_t)task_pgrp_nr_ns(current, task_active_pid_ns(current)), 0, false, 0); + /* Parameter 18: pgid (type: PT_PID32) */ + res = val_to_ring(args, task_pgrp_nr_ns(current, task_active_pid_ns(current)), 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { return res; @@ -6675,7 +6675,7 @@ int f_sched_prog_fork(struct event_filler_arguments *args) uint64_t egid = child->cred->egid.val; struct pid_namespace *pidns = task_active_pid_ns(child); - /* Parameter 1: res (type: PT_ERRNO) */ + /* Parameter 1: res (type: PT_ERRNO32) */ /* Please note: here we are in the clone child exit * event, so the return value will be always 0. */ @@ -6744,27 +6744,27 @@ int f_sched_prog_fork(struct event_filler_arguments *args) return res; } - /* Parameter 4: tid (type: PT_PID) */ - res = val_to_ring(args, (int64_t)child->pid, 0, false, 0); + /* Parameter 4: tid (type: PT_PID32) */ + res = val_to_ring(args, child->pid, 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { return res; } - /* Parameter 5: pid (type: PT_PID) */ - res = val_to_ring(args, (int64_t)child->tgid, 0, false, 0); + /* Parameter 5: pid (type: PT_PID32) */ + res = val_to_ring(args, child->tgid, 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { return res; } - /* Parameter 6: ptid (type: PT_PID) */ + /* Parameter 6: ptid (type: PT_PID32) */ if(child->real_parent) { ptid = child->real_parent->pid; } - res = val_to_ring(args, (int64_t)ptid, 0, false, 0); + res = val_to_ring(args, ptid, 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { return res; @@ -6901,14 +6901,14 @@ int f_sched_prog_fork(struct event_filler_arguments *args) return res; } - /* Parameter 19: vtid (type: PT_PID) */ + /* Parameter 19: vtid (type: PT_PID32) */ res = val_to_ring(args, task_pid_vnr(child), 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { return res; } - /* Parameter 20: vpid (type: PT_PID) */ + /* Parameter 20: vpid (type: PT_PID32) */ res = val_to_ring(args, task_tgid_vnr(child), 0, false, 0); if(unlikely(res != PPM_SUCCESS)) { diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/chdir_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/chdir_x.cpp index f9ef4fa635..bfc24940d9 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/chdir_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/chdir_x.cpp @@ -17,7 +17,7 @@ TEST(SyscallExit, chdirX) const char* new_dir = "mock_dir"; assert_syscall_state(SYSCALL_FAILURE, "chdir", syscall(__NR_chdir, new_dir)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -36,8 +36,8 @@ TEST(SyscallExit, chdirX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: res (type: PT_ERRNO32)*/ + evt_test->assert_numeric_param(1, errno_value); /* Parameter 2: path (type: PT_CHARBUF) */ evt_test->assert_charbuf_param(2, new_dir); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/chmod_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/chmod_x.cpp index 7af713ab76..8f539a0573 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/chmod_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/chmod_x.cpp @@ -12,7 +12,7 @@ TEST(SyscallExit, chmodX) const char* filename = "*//null"; uint32_t mode = S_IXUSR; assert_syscall_state(SYSCALL_FAILURE, "chmod", syscall(__NR_chmod, filename, mode)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -31,7 +31,7 @@ TEST(SyscallExit, chmodX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ + /* Parameter 1: res (type: PT_ERRNO32) */ evt_test->assert_numeric_param(1, errno_value); /* Parameter 2: filename (type: PT_FSPATH) */ diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/chroot_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/chroot_x.cpp index ebb801990a..a752c60702 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/chroot_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/chroot_x.cpp @@ -12,7 +12,7 @@ TEST(SyscallExit, chrootX) const char* path = "*//null"; assert_syscall_state(SYSCALL_FAILURE, "chroot", syscall(__NR_chroot, path)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -31,8 +31,8 @@ TEST(SyscallExit, chrootX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: res (type: PT_ERRNO32)*/ + evt_test->assert_numeric_param(1, errno_value); /* Parameter 2: path (type: PT_FSPATH) */ evt_test->assert_charbuf_param(2, path); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/close_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/close_x.cpp index 097431e465..92737d7435 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/close_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/close_x.cpp @@ -11,7 +11,7 @@ TEST(SyscallExit, closeX) int invalid_fd = -1; assert_syscall_state(SYSCALL_FAILURE, "close", syscall(__NR_close, invalid_fd)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -30,7 +30,7 @@ TEST(SyscallExit, closeX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: ret (type: PT_ERRNO)*/ + /* Parameter 1: ret (type: PT_ERRNO32)*/ evt_test->assert_numeric_param(1, errno_value); /*=============================== ASSERT PARAMETERS ===========================*/ diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/copy_file_range_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/copy_file_range_x.cpp index 1bfa06f547..08535c5cc5 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/copy_file_range_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/copy_file_range_x.cpp @@ -16,7 +16,7 @@ TEST(SyscallExit, copy_file_rangeX) size_t len = 20; uint32_t flags = 0; assert_syscall_state(SYSCALL_FAILURE, "copy_file_range", syscall(__NR_copy_file_range, fd_in, off_in, fd_out, off_out, len, flags)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -35,11 +35,11 @@ TEST(SyscallExit, copy_file_rangeX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: res (type: PT_FD32) */ + evt_test->assert_numeric_param(1, errno_value); - /* Parameter 2: fdout (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)fd_out); + /* Parameter 2: fdout (type: PT_FD32) */ + evt_test->assert_numeric_param(2, fd_out); /* Parameter 3: offout (type: PT_UINT64) */ evt_test->assert_numeric_param(3, (uint64_t)off_out); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/creat_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/creat_x.cpp index 4f42d0e53e..7789ada1ac 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/creat_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/creat_x.cpp @@ -43,8 +43,8 @@ TEST(SyscallExit, creatX_success) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)fd); + /* Parameter 1: fd (type: PT_FD32) */ + evt_test->assert_numeric_param(1, fd); /* Parameter 2: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(2, path); @@ -75,7 +75,7 @@ TEST(SyscallExit, creatX_failure) const char* path = "*//null"; mode_t mode = S_IRGRP; assert_syscall_state(SYSCALL_FAILURE, "creat", syscall(__NR_creat, path, mode)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -94,8 +94,8 @@ TEST(SyscallExit, creatX_failure) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: fd (type: PT_FD32) */ + evt_test->assert_numeric_param(1, errno_value); /* Parameter 2: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(2, path); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/dup2_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/dup2_x.cpp index b4a7ba0ac7..4f5f50d037 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/dup2_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/dup2_x.cpp @@ -37,14 +37,14 @@ TEST(SyscallExit, dup2X) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)res); + /* Parameter 1: res (type: PT_FD32) */ + evt_test->assert_numeric_param(1, res); - /* Parameter 2: oldfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)old_fd); + /* Parameter 2: oldfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, old_fd); - /* Parameter 3: newfd (type: PT_FD) */ - evt_test->assert_numeric_param(3, (int64_t)new_fd); + /* Parameter 3: newfd (type: PT_FD32) */ + evt_test->assert_numeric_param(3, new_fd); /*=============================== ASSERT PARAMETERS ===========================*/ diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/dup3_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/dup3_x.cpp index 55dc78cdab..d399538a6c 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/dup3_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/dup3_x.cpp @@ -17,7 +17,7 @@ TEST(SyscallExit, dup3X) uint32_t flags = O_CLOEXEC; int32_t res = syscall(__NR_dup3, old_fd, new_fd, flags); assert_syscall_state(SYSCALL_FAILURE, "dup3", res); - int64_t errno_value = -errno; + int32_t errno_value = -errno; syscall(__NR_close, old_fd); syscall(__NR_close, new_fd); @@ -40,14 +40,14 @@ TEST(SyscallExit, dup3X) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: res (type: PT_FD32) */ + evt_test->assert_numeric_param(1, errno_value); - /* Parameter 2: oldfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)old_fd); + /* Parameter 2: oldfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, old_fd); - /* Parameter 3: newfd (type: PT_FD) */ - evt_test->assert_numeric_param(3, (int64_t)new_fd); + /* Parameter 3: newfd (type: PT_FD32) */ + evt_test->assert_numeric_param(3, new_fd); /* Parameter 4: flags (type: PT_FLAGS32) */ evt_test->assert_numeric_param(4, (uint32_t)PPM_O_CLOEXEC); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/dup_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/dup_x.cpp index 6c78c01679..9e34782889 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/dup_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/dup_x.cpp @@ -35,11 +35,11 @@ TEST(SyscallExit, dupX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)new_fd); + /* Parameter 1: res (type: PT_FD32) */ + evt_test->assert_numeric_param(1, new_fd); - /* Parameter 2: oldfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)old_fd); + /* Parameter 2: oldfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, old_fd); /*=============================== ASSERT PARAMETERS ===========================*/ diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/fchdir_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/fchdir_x.cpp index bcc4e45c4b..20fdc546c7 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/fchdir_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/fchdir_x.cpp @@ -11,7 +11,7 @@ TEST(SyscallExit, fchdirX) int invalid_fd = -1; assert_syscall_state(SYSCALL_FAILURE, "fchdir", syscall(__NR_fchdir, invalid_fd)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -30,7 +30,7 @@ TEST(SyscallExit, fchdirX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ + /* Parameter 1: res (type: PT_ERRNO32)*/ evt_test->assert_numeric_param(1, errno_value); /*=============================== ASSERT PARAMETERS ===========================*/ diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/fchmod_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/fchmod_x.cpp index 34c095cfaf..ce27ddecde 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/fchmod_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/fchmod_x.cpp @@ -12,7 +12,7 @@ TEST(SyscallExit, fchmodX) int32_t mock_fd = -1; uint32_t mode = S_IXUSR; assert_syscall_state(SYSCALL_FAILURE, "fchmod", syscall(__NR_fchmod, mock_fd, mode)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -31,11 +31,11 @@ TEST(SyscallExit, fchmodX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: res (type: PT_ERRNO32) */ + evt_test->assert_numeric_param(1, errno_value); - /* Parameter 2: fd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)mock_fd); + /* Parameter 2: fd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, mock_fd); /* Parameter 3: mode (type: PT_MODE) */ evt_test->assert_numeric_param(3, (uint32_t)PPM_S_IXUSR); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/fchmodat_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/fchmodat_x.cpp index 808a7707c5..1771f1f92a 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/fchmodat_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/fchmodat_x.cpp @@ -14,7 +14,7 @@ TEST(SyscallExit, fchmodatX) uint32_t mode = S_IXUSR; uint32_t flags = 0; assert_syscall_state(SYSCALL_FAILURE, "fchmodat", syscall(__NR_fchmodat, mock_dirfd, pathname, mode, flags)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -33,11 +33,11 @@ TEST(SyscallExit, fchmodatX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: res (type: PT_ERRNO32) */ + evt_test->assert_numeric_param(1, errno_value); - /* Parameter 2: dirfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)mock_dirfd); + /* Parameter 2: dirfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, mock_dirfd); /* Parameter 3: filename (type: PT_FSPATH) */ evt_test->assert_charbuf_param(3, pathname); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/mkdir_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/mkdir_x.cpp index d956be067e..ff038d53d9 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/mkdir_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/mkdir_x.cpp @@ -12,7 +12,7 @@ TEST(SyscallExit, mkdirX) uint32_t mode = 7; const char* path = "*//null"; assert_syscall_state(SYSCALL_FAILURE, "mkdir", syscall(__NR_mkdir, path, mode)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -31,7 +31,7 @@ TEST(SyscallExit, mkdirX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ + /* Parameter 1: res (type: PT_ERRNO32)*/ evt_test->assert_numeric_param(1, errno_value); /* Parameter 2: path (type: PT_FSPATH) */ diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/mkdirat_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/mkdirat_x.cpp index 1745af52b9..699dea7fb0 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/mkdirat_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/mkdirat_x.cpp @@ -13,7 +13,7 @@ TEST(SyscallExit, mkdiratX) const char* path = "/invalid/path"; uint32_t mode = 8; assert_syscall_state(SYSCALL_FAILURE, "mkdirat", syscall(__NR_mkdirat, mock_dirfd, path, mode)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -32,11 +32,11 @@ TEST(SyscallExit, mkdiratX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO) */ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: res (type: PT_ERRNO32) */ + evt_test->assert_numeric_param(1, errno_value); - /* Parameter 2: dirfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)mock_dirfd); + /* Parameter 2: dirfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, mock_dirfd); /* Parameter 3: path (type: PT_FSRELPATH) */ evt_test->assert_charbuf_param(3, path); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp index f91308e495..8857f6a3e8 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/open_by_handle_at_x.cpp @@ -143,11 +143,11 @@ TEST(SyscallExit, open_by_handle_atX_success) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: ret (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)open_by_handle_fd); + /* Parameter 1: ret (type: PT_FD32) */ + evt_test->assert_numeric_param(1, open_by_handle_fd); - /* Parameter 2: mountfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)dirfd); + /* Parameter 2: mountfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, dirfd); /* Parameter 3: flags (type: PT_FLAGS32) */ evt_test->assert_numeric_param(3, (uint32_t)PPM_O_RDONLY); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/open_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/open_x.cpp index 1171fd839e..88b1a04d63 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/open_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/open_x.cpp @@ -45,8 +45,8 @@ TEST(SyscallExit, openX_success) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: ret (type: PT_FD)*/ - evt_test->assert_numeric_param(1, (int64_t)fd); + /* Parameter 1: ret (type: PT_FD32)*/ + evt_test->assert_numeric_param(1, fd); /* Parameter 2: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(2, pathname); @@ -85,7 +85,7 @@ TEST(SyscallExit, openX_failure) int flags = O_RDWR | O_TMPFILE | O_DIRECTORY; mode_t mode = 0; assert_syscall_state(SYSCALL_FAILURE, "open", syscall(__NR_open, pathname, flags, mode)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -104,8 +104,8 @@ TEST(SyscallExit, openX_failure) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: ret (type: PT_FD)*/ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: ret (type: PT_FD32)*/ + evt_test->assert_numeric_param(1, errno_value); /* Parameter 2: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(2, pathname); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/openat2_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/openat2_x.cpp index 425c0c099c..2d14e7cde5 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/openat2_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/openat2_x.cpp @@ -42,11 +42,11 @@ TEST(SyscallExit, openat2X_success) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)fd); + /* Parameter 1: fd (type: PT_FD32) */ + evt_test->assert_numeric_param(1, fd); - /* Parameter 2: dirfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)PPM_AT_FDCWD); + /* Parameter 2: dirfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, PPM_AT_FDCWD); /* Parameter 3: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(3, pathname); @@ -85,7 +85,7 @@ TEST(SyscallExit, openat2X_failure) how.mode = 0; how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS; assert_syscall_state(SYSCALL_FAILURE, "openat2", syscall(__NR_openat2, dirfd, pathname, &how, sizeof(struct open_how))); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -104,11 +104,11 @@ TEST(SyscallExit, openat2X_failure) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: fd (type: PT_FD32) */ + evt_test->assert_numeric_param(1, errno_value); - /* Parameter 2: dirfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)PPM_AT_FDCWD); + /* Parameter 2: dirfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, PPM_AT_FDCWD); /* Parameter 3: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(3, pathname); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/openat_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/openat_x.cpp index dd95e7e2f5..eb244b27a8 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/openat_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/openat_x.cpp @@ -46,11 +46,11 @@ TEST(SyscallExit, openatX_success) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)fd); + /* Parameter 1: fd (type: PT_FD32) */ + evt_test->assert_numeric_param(1, fd); - /* Parameter 2: dirfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)PPM_AT_FDCWD); + /* Parameter 2: dirfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, PPM_AT_FDCWD); /* Parameter 3: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(3, pathname); @@ -90,7 +90,7 @@ TEST(SyscallExit, openatX_failure) int flags = O_RDWR | O_TMPFILE | O_DIRECTORY; mode_t mode = 0; assert_syscall_state(SYSCALL_FAILURE, "openat", syscall(__NR_openat, dirfd, pathname, flags, mode)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -109,11 +109,11 @@ TEST(SyscallExit, openatX_failure) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: fd (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: fd (type: PT_FD32) */ + evt_test->assert_numeric_param(1, errno_value); - /* Parameter 2: dirfd (type: PT_FD) */ - evt_test->assert_numeric_param(2, (int64_t)PPM_AT_FDCWD); + /* Parameter 2: dirfd (type: PT_FD32) */ + evt_test->assert_numeric_param(2, PPM_AT_FDCWD); /* Parameter 3: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(3, pathname); diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp index fa3088024e..73cd7d9af7 100644 --- a/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp +++ b/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp @@ -11,7 +11,7 @@ TEST(SyscallExit, rmdirX) const char* path = "*//null"; assert_syscall_state(SYSCALL_FAILURE, "rmdir", syscall(__NR_rmdir, path)); - int64_t errno_value = -errno; + int32_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -30,8 +30,8 @@ TEST(SyscallExit, rmdirX) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ - evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 1: res (type: PT_ERRNO32)*/ + evt_test->assert_numeric_param(1, errno_value); /* Parameter 2: path (type: PT_FSPATH) */ evt_test->assert_charbuf_param(2, path); diff --git a/userspace/libscap/examples/01-open/scap_open.c b/userspace/libscap/examples/01-open/scap_open.c index 6c083b96b6..a07e5946cf 100644 --- a/userspace/libscap/examples/01-open/scap_open.c +++ b/userspace/libscap/examples/01-open/scap_open.c @@ -131,12 +131,16 @@ void print_parameter(int16_t num_param) break; case PT_INT32: + case PT_ERRNO32: + case PT_FD32: + case PT_PID32: printf("PARAM %d: %d\n", num_param, *(int32_t*)(valptr)); break; case PT_INT64: case PT_ERRNO: case PT_PID: + case PT_FD: printf("PARAM %d: %ld\n", num_param, *(int64_t*)(valptr)); break; @@ -167,10 +171,6 @@ void print_parameter(int16_t num_param) printf("PARAM %d: %lu\n", num_param, *(uint64_t*)(valptr)); break; - case PT_FD: - printf("PARAM %d: %d\n", num_param, *(int32_t*)(valptr)); - break; - case PT_SOCKADDR: { printf("PARAM %d:\n", num_param); diff --git a/userspace/libscap/scap_event.c b/userspace/libscap/scap_event.c index a72144efb7..ed827368e9 100644 --- a/userspace/libscap/scap_event.c +++ b/userspace/libscap/scap_event.c @@ -224,9 +224,12 @@ int32_t scap_event_encode_params_v(const struct scap_sized_buffer event_buf, siz case PT_SIGSET: case PT_MODE: case PT_ENUMFLAGS32: - u32_arg = va_arg(args, uint32_t); - param.buf = &u32_arg; - param.size = sizeof(uint32_t); + case PT_ERRNO32: + case PT_FD32: + case PT_PID32: + u32_arg = va_arg(args, uint32_t); + param.buf = &u32_arg; + param.size = sizeof(uint32_t); break; case PT_INT64: @@ -237,9 +240,9 @@ int32_t scap_event_encode_params_v(const struct scap_sized_buffer event_buf, siz case PT_RELTIME: case PT_ABSTIME: case PT_DOUBLE: - u64_arg = va_arg(args, uint64_t); - param.buf = &u64_arg; - param.size = sizeof(uint64_t); + u64_arg = va_arg(args, uint64_t); + param.buf = &u64_arg; + param.size = sizeof(uint64_t); break; case PT_CHARBUF: @@ -252,6 +255,7 @@ int32_t scap_event_encode_params_v(const struct scap_sized_buffer event_buf, siz case PT_BYTEBUF: /* A raw buffer of bytes not suitable for printing */ case PT_SOCKTUPLE: /* A sockaddr tuple,1byte family + 12byte data + 12byte data */ case PT_FDLIST: /* A list of fds, 16bit count + count * (64bit fd + 16bit flags) */ + case PT_FDLIST32: /* A list of fds, 16bit count + count * (32bit fd + 16bit flags) */ case PT_DYN: /* Type can vary depending on the context. Used for filter fields like evt.rawarg. */ case PT_CHARBUFARRAY: /* Pointer to an array of strings, exported by the user events decoder. 64bit. For internal use only. */ case PT_CHARBUF_PAIR_ARRAY: /* Pointer to an array of string pairs, exported by the user events decoder. 64bit. For internal use only. */ diff --git a/userspace/libsinsp/event.cpp b/userspace/libsinsp/event.cpp index c361735af2..058782fe89 100644 --- a/userspace/libsinsp/event.cpp +++ b/userspace/libsinsp/event.cpp @@ -852,6 +852,34 @@ Json::Value sinsp_evt::get_param_as_json(uint32_t id, OUT const char** resolved_ } break; + case PT_PID32: + { + ASSERT(payload_len == sizeof(int32_t)); + + int val = *(int32_t *)payload; + ret = (Json::Value::Int)val; + + sinsp_threadinfo* atinfo = m_inspector->get_thread_ref((int64_t)val, false, true).get(); + if(atinfo != NULL) + { + string& tcomm = atinfo->m_comm; + + // + // Make sure the string will fit + // + if(tcomm.size() >= m_resolved_paramstr_storage.size()) + { + m_resolved_paramstr_storage.resize(tcomm.size() + 1); + } + + snprintf(&m_resolved_paramstr_storage[0], + m_resolved_paramstr_storage.size(), + "%s", + tcomm.c_str()); + } + } + break; + case PT_ERRNO: { ASSERT(payload_len == sizeof(int64_t)); @@ -878,17 +906,55 @@ Json::Value sinsp_evt::get_param_as_json(uint32_t id, OUT const char** resolved_ } break; - case PT_FD: + case PT_ERRNO32: + { + ASSERT(payload_len == sizeof(int32_t)); + + int32_t val = *(int32_t *)payload; + + // + // Resolve this as an errno + // + string errstr; + + if(val < 0) { - // We use the string extractor to get - // the resolved path, but use our routine - // to get the actual value to return - ASSERT(payload_len == sizeof(int64_t)); - int64_t fd = *(int64_t*)payload; - render_fd_json(&ret, fd, resolved_str, fmt); - ret["num"] = (Json::Value::UInt64)*(int64_t *)payload; - break; + errstr = sinsp_utils::errno_to_str(val); + + if(errstr != "") + { + snprintf(&m_resolved_paramstr_storage[0], + m_resolved_paramstr_storage.size(), + "%s", errstr.c_str()); + } } + ret = (Json::Value::Int)val; + } + break; + + case PT_FD: + { + // We use the string extractor to get + // the resolved path, but use our routine + // to get the actual value to return + ASSERT(payload_len == sizeof(int64_t)); + int64_t fd = *(int64_t*)payload; + render_fd_json(&ret, fd, resolved_str, fmt); + ret["num"] = (Json::Value::UInt64)*(int64_t *)payload; + break; + } + + case PT_FD32: + { + // We use the string extractor to get + // the resolved path, but use our routine + // to get the actual value to return + ASSERT(payload_len == sizeof(int32_t)); + int32_t fd = *(int32_t*)payload; + render_fd_json(&ret, (int64_t)fd, resolved_str, fmt); + ret["num"] = (Json::Value::Int)fd; + break; + } case PT_CHARBUF: case PT_FSPATH: @@ -1098,6 +1164,7 @@ Json::Value sinsp_evt::get_param_as_json(uint32_t id, OUT const char** resolved_ } break; case PT_FDLIST: + case PT_FDLIST32: ret = get_param_as_str(id, resolved_str, fmt); break; @@ -1433,14 +1500,22 @@ std::string sinsp_evt::get_base_dir(uint32_t id, sinsp_threadinfo *tinfo) const ppm_param_info* dir_param_info = &(m_info->params[dirfd_id]); // Ensure the index points to an actual FD - if (dir_param_info->type != PT_FD) + if (dir_param_info->type != PT_FD && dir_param_info->type != PT_FD32) { - ASSERT(dir_param_info->type == PT_FD); + ASSERT(dir_param_info->type == PT_FD || dir_param_info->type == PT_FD32); return cwd; } const sinsp_evt_param* dir_param = get_param(dirfd_id); - const int64_t dirfd = *(int64_t*)dir_param->m_val; + int64_t dirfd; + if (dir_param_info->type == PT_FD) + { + dirfd = *(int64_t*)dir_param->m_val; + } + else + { + dirfd = *(int32_t*)dir_param->m_val; + } // If the FD is special value PPM_AT_FDCWD, just use CWD if (dirfd == PPM_AT_FDCWD) @@ -1553,6 +1628,15 @@ const char* sinsp_evt::get_param_as_str(uint32_t id, OUT const char** resolved_s render_fd(fd, resolved_str, fmt); break; } + + case PT_FD32: + { + ASSERT(payload_len == sizeof(int32_t)); + int32_t fd = *(int32_t*)payload; + render_fd((int64_t)fd, resolved_str, fmt); + break; + } + case PT_PID: { ASSERT(payload_len == sizeof(int64_t)); @@ -1582,6 +1666,38 @@ const char* sinsp_evt::get_param_as_str(uint32_t id, OUT const char** resolved_s } } break; + + case PT_PID32: + { + ASSERT(payload_len == sizeof(int32_t)); + + int val = *(int32_t *)payload; + snprintf(&m_paramstr_storage[0], + m_paramstr_storage.size(), + "%d", val); + + + sinsp_threadinfo* atinfo = m_inspector->get_thread_ref((int64_t)val, false, true).get(); + if(atinfo != NULL) + { + string& tcomm = atinfo->m_comm; + + // + // Make sure the string will fit + // + if(tcomm.size() >= m_resolved_paramstr_storage.size()) + { + m_resolved_paramstr_storage.resize(tcomm.size() + 1); + } + + snprintf(&m_resolved_paramstr_storage[0], + m_resolved_paramstr_storage.size(), + "%s", + tcomm.c_str()); + } + } + break; + case PT_UINT8: ASSERT(payload_len == sizeof(uint8_t)); SET_NUMERIC_FORMAT(prfmt, param_fmt, PRIo8, PRId8, PRIX8); @@ -1634,6 +1750,36 @@ const char* sinsp_evt::get_param_as_str(uint32_t id, OUT const char** resolved_s } } break; + + case PT_ERRNO32: + { + ASSERT(payload_len == sizeof(int32_t)); + + int32_t val = *(int32_t *)payload; + + snprintf(&m_paramstr_storage[0], + m_paramstr_storage.size(), + "%d", val); + + // + // Resolve this as an errno + // + string errstr; + + if(val < 0) + { + errstr = sinsp_utils::errno_to_str(val); + + if(errstr != "") + { + snprintf(&m_resolved_paramstr_storage[0], + m_resolved_paramstr_storage.size(), + "%s", errstr.c_str()); + } + } + } + break; + case PT_UINT64: ASSERT(payload_len == sizeof(uint64_t)); SET_NUMERIC_FORMAT(prfmt, param_fmt, PRIo64, PRId64, PRIX64); @@ -1931,6 +2077,7 @@ const char* sinsp_evt::get_param_as_str(uint32_t id, OUT const char** resolved_s } break; case PT_FDLIST: + case PT_FDLIST32: { sinsp_threadinfo* tinfo = get_thread_info(); if(!tinfo) @@ -1947,7 +2094,16 @@ const char* sinsp_evt::get_param_as_str(uint32_t id, OUT const char** resolved_s for(j = 0; j < nfds; j++) { char tch; - int64_t fd = *(int64_t *)(payload + pos); + int64_t fd; + + if (param_info->type == PT_FDLIST) + { + fd = *(int64_t *)(payload + pos); + } + else + { + fd = *(int32_t *)(payload + pos); + } sinsp_fdinfo_t *fdinfo = tinfo->get_fd(fd); if(fdinfo) diff --git a/userspace/libsinsp/filter.cpp b/userspace/libsinsp/filter.cpp index 924c76da3f..8b1dfdf375 100644 --- a/userspace/libsinsp/filter.cpp +++ b/userspace/libsinsp/filter.cpp @@ -394,6 +394,9 @@ bool flt_compare(cmpop op, ppm_param_type type, void* operand1, void* operand2, case PT_INT16: return flt_compare_int64(op, (int64_t)*(int16_t*)operand1, (int64_t)*(int16_t*)operand2); case PT_INT32: + case PT_FD32: + case PT_PID32: + case PT_ERRNO32: return flt_compare_int64(op, (int64_t)*(int32_t*)operand1, (int64_t)*(int32_t*)operand2); case PT_INT64: case PT_FD: @@ -465,6 +468,7 @@ bool flt_compare(cmpop op, ppm_param_type type, void* operand1, void* operand2, case PT_SOCKADDR: case PT_SOCKTUPLE: case PT_FDLIST: + case PT_FDLIST32: case PT_SIGSET: default: ASSERT(false); @@ -514,6 +518,9 @@ bool flt_compare_avg(cmpop op, ASSERT(cnt2 != 0 || i642 == 0); return flt_compare_int64(op, i641, i642); case PT_INT32: + case PT_FD32: + case PT_PID32: + case PT_ERRNO32: i641 = ((int64_t)*(int32_t*)operand1) / cnt1; i642 = ((int64_t)*(int32_t*)operand2) / cnt2; ASSERT(cnt1 != 0 || i641 == 0); @@ -646,6 +653,8 @@ Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, } case PT_INT32: + case PT_FD32: + case PT_PID32: if(print_format == PF_DEC || print_format == PF_ID) { @@ -832,6 +841,9 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, prfmt, *(int16_t *)rawval); return m_getpropertystr_storage; case PT_INT32: + case PT_FD32: + case PT_PID32: + case PT_ERRNO32: if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo32; @@ -1322,6 +1334,7 @@ bool sinsp_filter_check::flt_compare(cmpop op, ppm_param_type type, void* operan case PT_SOCKADDR: case PT_SOCKTUPLE: case PT_FDLIST: + case PT_FDLIST32: case PT_FSPATH: case PT_SIGSET: case PT_FSRELPATH: diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp index fccd3bd561..058cea3113 100644 --- a/userspace/libsinsp/filterchecks.cpp +++ b/userspace/libsinsp/filterchecks.cpp @@ -2782,7 +2782,7 @@ bool sinsp_filter_check_thread::compare_full_apid(sinsp_evt *evt) bool res; res = flt_compare(m_cmpop, - PT_PID, + PT_PID, // use PT_PID here as we pass a 64bit pid &pt->m_pid); if(res == true) diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp index b7056f895a..9996b9b446 100644 --- a/userspace/libsinsp/parsers.cpp +++ b/userspace/libsinsp/parsers.cpp @@ -701,9 +701,16 @@ bool sinsp_parser::reset(sinsp_evt *evt) // parinfo = evt->get_param(0); ASSERT(parinfo->m_len == sizeof(int64_t)); - ASSERT(evt->get_param_info(0)->type == PT_FD); + ASSERT(evt->get_param_info(0)->type == PT_FD || evt->get_param_info(0)->type == PT_FD32); - evt->m_tinfo->m_lastevent_fd = *(int64_t *)parinfo->m_val; + if (evt->get_param_info(0)->type == PT_FD) + { + evt->m_tinfo->m_lastevent_fd = *(int64_t *)parinfo->m_val; + } + else + { + evt->m_tinfo->m_lastevent_fd = *(int32_t *)parinfo->m_val; + } evt->m_fdinfo = evt->m_tinfo->get_fd(evt->m_tinfo->m_lastevent_fd); } @@ -2638,8 +2645,18 @@ inline void sinsp_parser::infer_sendto_fdinfo(sinsp_evt* const evt) parinfo = evt->get_param(FILE_DESCRIPTOR_PARAM); ASSERT(parinfo->m_len == sizeof(int64_t)); - ASSERT(evt->get_param_info(FILE_DESCRIPTOR_PARAM)->type == PT_FD); - const int64_t fd = *((int64_t*) parinfo->m_val); + ASSERT(evt->get_param_info(FILE_DESCRIPTOR_PARAM)->type == PT_FD || + evt->get_param_info(FILE_DESCRIPTOR_PARAM)->type == PT_FD32); + int64_t fd; + + if (evt->get_param_info(FILE_DESCRIPTOR_PARAM)->type == PT_FD) + { + fd = *((int64_t *)parinfo->m_val); + } + else + { + fd = *((int32_t *)parinfo->m_val); + } if(fd < 0) { @@ -5590,9 +5607,17 @@ void sinsp_parser::parse_getsockopt_exit(sinsp_evt *evt) } parinfo = evt->get_param(4); - ASSERT(*parinfo->m_val == PPM_SOCKOPT_IDX_ERRNO); - ASSERT(parinfo->m_len == sizeof(int64_t) + 1); - err = *(int64_t *)(parinfo->m_val + 1); // add 1 byte to skip over PT_DYN param index + ASSERT(*parinfo->m_val == PPM_SOCKOPT_IDX_ERRNO || *parinfo->m_val == PPM_SOCKOPT_IDX_ERRNO32); + if (*parinfo->m_val == PPM_SOCKOPT_IDX_ERRNO) + { + ASSERT(parinfo->m_len == sizeof(int64_t) + 1); + err = *(int64_t *)(parinfo->m_val + 1); // add 1 byte to skip over PT_DYN param index + } + else + { + ASSERT(parinfo->m_len == sizeof(int32_t) + 1); + err = *(int32_t *)(parinfo->m_val + 1); // add 1 byte to skip over PT_DYN param index + } evt->m_errorcode = (int32_t)err; if (err < 0) diff --git a/userspace/libsinsp/utils.cpp b/userspace/libsinsp/utils.cpp index 3126d905ba..555cb88200 100644 --- a/userspace/libsinsp/utils.cpp +++ b/userspace/libsinsp/utils.cpp @@ -1339,16 +1339,20 @@ const char* param_type_to_string(ppm_param_type pt) case PT_BYTEBUF: return "BYTEBUF"; case PT_ERRNO: + case PT_ERRNO32: return "ERRNO"; case PT_SOCKADDR: return "SOCKADDR"; case PT_SOCKTUPLE: return "SOCKTUPLE"; case PT_FD: + case PT_FD32: return "FD"; case PT_PID: + case PT_PID32: return "PID"; case PT_FDLIST: + case PT_FDLIST32: return "FDLIST"; case PT_FSPATH: return "FSPATH"; diff --git a/userspace/libsinsp/value_parser.cpp b/userspace/libsinsp/value_parser.cpp index 4d46bd5c1e..8ffcc7fd4d 100644 --- a/userspace/libsinsp/value_parser.cpp +++ b/userspace/libsinsp/value_parser.cpp @@ -40,6 +40,8 @@ size_t sinsp_filter_value_parser::string_to_rawval(const char* str, uint32_t len parsed_len = sizeof(int16_t); break; case PT_INT32: + case PT_FD32: + case PT_ERRNO32: *(int32_t*)storage = sinsp_numparser::parsed32(str); parsed_len = sizeof(int32_t); break;