1use falco_event_derive::event_info;
2
3event_info! {
4 [PPME_GENERIC_E] = {"syscall",
5 EC_OTHER | EC_SYSCALL,
6 EF_NONE,
7 2,
8 {{"id", PT_SYSCALLID, PF_DEC}, {"native_id", PT_UINT16, PF_DEC}}},
9 [PPME_GENERIC_X] =
10 {"syscall", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"id", PT_SYSCALLID, PF_DEC}}},
11 [PPME_SYSCALL_OPEN_E] = {"open",
12 EC_FILE | EC_SYSCALL,
13 EF_CREATES_FD | EF_MODIFIES_STATE,
14 3,
15 {{"name", PT_FSPATH, PF_NA},
16 {"flags", PT_FLAGS32, PF_HEX, file_flags},
17 {"mode", PT_UINT32, PF_OCT}}},
18 [PPME_SYSCALL_OPEN_X] = {"open",
19 EC_FILE | EC_SYSCALL,
20 EF_CREATES_FD | EF_MODIFIES_STATE,
21 6,
22 {{"fd", PT_FD, PF_DEC},
23 {"name", PT_FSPATH, PF_NA},
24 {"flags", PT_FLAGS32, PF_HEX, file_flags},
25 {"mode", PT_UINT32, PF_OCT},
26 {"dev", PT_UINT32, PF_HEX},
27 {"ino", PT_UINT64, PF_DEC}}},
28 [PPME_SYSCALL_CLOSE_E] = {"close",
29 EC_IO_OTHER | EC_SYSCALL,
30 EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE,
31 1,
32 {{"fd", PT_FD, PF_DEC}}},
33 [PPME_SYSCALL_CLOSE_X] = {"close",
34 EC_IO_OTHER | EC_SYSCALL,
35 EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE,
36 1,
37 {{"res", PT_ERRNO, PF_DEC}}},
38 [PPME_SYSCALL_READ_E] = {"read",
39 EC_IO_READ | EC_SYSCALL,
40 EF_USES_FD | EF_READS_FROM_FD | EF_TMP_CONVERTER_MANAGED,
41 2,
42 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
43 [PPME_SYSCALL_READ_X] = {"read",
44 EC_IO_READ | EC_SYSCALL,
45 EF_USES_FD | EF_READS_FROM_FD | EF_TMP_CONVERTER_MANAGED,
46 4,
47 {{"res", PT_ERRNO, PF_DEC},
48 {"data", PT_BYTEBUF, PF_NA},
49 {"fd", PT_FD, PF_DEC},
50 {"size", PT_UINT32, PF_DEC}}},
51 [PPME_SYSCALL_WRITE_E] = {"write",
52 EC_IO_WRITE | EC_SYSCALL,
53 EF_USES_FD | EF_WRITES_TO_FD | EF_TMP_CONVERTER_MANAGED,
54 2,
55 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
56 [PPME_SYSCALL_WRITE_X] = {"write",
57 EC_IO_WRITE | EC_SYSCALL,
58 EF_USES_FD | EF_WRITES_TO_FD | EF_TMP_CONVERTER_MANAGED,
59 4,
60 {{"res", PT_ERRNO, PF_DEC},
61 {"data", PT_BYTEBUF, PF_NA},
62 {"fd", PT_FD, PF_DEC},
63 {"size", PT_UINT32, PF_DEC}}},
64 [PPME_SYSCALL_BRK_1_E] =
65 {"brk", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 1, {{"size", PT_UINT32, PF_DEC}}},
66 [PPME_SYSCALL_BRK_1_X] =
67 {"brk", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_UINT64, PF_HEX}}},
68 [PPME_SYSCALL_EXECVE_8_E] = {"execve",
69 EC_PROCESS | EC_SYSCALL,
70 EF_MODIFIES_STATE | EF_OLD_VERSION,
71 0},
72 [PPME_SYSCALL_EXECVE_8_X] = {"execve",
73 EC_PROCESS | EC_SYSCALL,
74 EF_MODIFIES_STATE | EF_OLD_VERSION,
75 8,
76 {{"res", PT_ERRNO, PF_DEC},
77 {"exe", PT_CHARBUF, PF_NA},
78 {"args", PT_BYTEBUF, PF_NA},
79 {"tid", PT_PID, PF_DEC},
80 {"pid", PT_PID, PF_DEC},
81 {"ptid", PT_PID, PF_DEC},
82 {"cwd", PT_CHARBUF, PF_NA},
83 {"fdlimit", PT_UINT64, PF_DEC}}},
84 [PPME_SYSCALL_CLONE_11_E] = {"clone",
85 EC_PROCESS | EC_SYSCALL,
86 EF_MODIFIES_STATE | EF_OLD_VERSION,
87 0},
88 [PPME_SYSCALL_CLONE_11_X] = {"clone",
89 EC_PROCESS | EC_SYSCALL,
90 EF_MODIFIES_STATE | EF_OLD_VERSION,
91 11,
92 {{"res", PT_PID, PF_DEC},
93 {"exe", PT_CHARBUF, PF_NA},
94 {"args", PT_BYTEBUF, PF_NA},
95 {"tid", PT_PID, PF_DEC},
96 {"pid", PT_PID, PF_DEC},
97 {"ptid", PT_PID, PF_DEC},
98 {"cwd", PT_CHARBUF, PF_NA},
99 {"fdlimit", PT_INT64, PF_DEC},
100 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
101 {"uid", PT_UINT32, PF_DEC},
102 {"gid", PT_UINT32, PF_DEC}}},
103 [PPME_PROCEXIT_E] = {"procexit",
104 EC_PROCESS | EC_TRACEPOINT,
105 EF_MODIFIES_STATE | EF_OLD_VERSION,
106 0},
107 [PPME_PROCEXIT_X] = {"NA", EC_UNKNOWN, EF_UNUSED | EF_OLD_VERSION, 0},
108 [PPME_SOCKET_SOCKET_E] = {"socket",
109 EC_NET | EC_SYSCALL,
110 EF_CREATES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
111 3,
112 {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
113 {"type", PT_UINT32, PF_DEC},
114 {"proto", PT_UINT32, PF_DEC}}},
115 [PPME_SOCKET_SOCKET_X] = {"socket",
116 EC_NET | EC_SYSCALL,
117 EF_CREATES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
118 4,
119 {{"fd", PT_FD, PF_DEC},
120 {"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
121 {"type", PT_UINT32, PF_DEC},
122 {"proto", PT_UINT32, PF_DEC}}},
123 [PPME_SOCKET_BIND_E] = {"bind",
124 EC_NET | EC_SYSCALL,
125 EF_USES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
126 1,
127 {{"fd", PT_FD, PF_DEC}}},
128 [PPME_SOCKET_BIND_X] = {"bind",
129 EC_NET | EC_SYSCALL,
130 EF_USES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
131 3,
132 {{"res", PT_ERRNO, PF_DEC},
133 {"addr", PT_SOCKADDR, PF_NA},
134 {"fd", PT_FD, PF_DEC}}},
135 [PPME_SOCKET_CONNECT_E] = {"connect",
136 EC_NET | EC_SYSCALL,
137 EF_USES_FD | EF_MODIFIES_STATE,
138 2,
139 {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA}}},
140 [PPME_SOCKET_CONNECT_X] = {"connect",
141 EC_NET | EC_SYSCALL,
142 EF_USES_FD | EF_MODIFIES_STATE,
143 3,
144 {{"res", PT_ERRNO, PF_DEC},
145 {"tuple", PT_SOCKTUPLE, PF_NA},
146 {"fd", PT_FD, PF_DEC}}},
147 [PPME_SOCKET_LISTEN_E] = {"listen",
148 EC_NET | EC_SYSCALL,
149 EF_USES_FD | EF_TMP_CONVERTER_MANAGED,
150 2,
151 {{"fd", PT_FD, PF_DEC}, {"backlog", PT_INT32, PF_DEC}}},
152 [PPME_SOCKET_LISTEN_X] = {"listen",
153 EC_NET | EC_SYSCALL,
154 EF_USES_FD | EF_TMP_CONVERTER_MANAGED,
155 3,
156 {{"res", PT_ERRNO, PF_DEC},
157 {"fd", PT_FD, PF_DEC},
158 {"backlog", PT_INT32, PF_DEC}}},
159 [PPME_SOCKET_ACCEPT_E] = {"accept",
160 EC_NET | EC_SYSCALL,
161 EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION |
162 EF_TMP_CONVERTER_MANAGED,
163 0},
164 [PPME_SOCKET_ACCEPT_X] = {"accept",
165 EC_NET | EC_SYSCALL,
166 EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION |
167 EF_TMP_CONVERTER_MANAGED,
168 3,
169 {{"fd", PT_FD, PF_DEC},
170 {"tuple", PT_SOCKTUPLE, PF_NA},
171 {"queuepct", PT_UINT8, PF_DEC}}},
172 [PPME_SOCKET_SEND_E] = {"send",
173 EC_IO_WRITE | EC_SYSCALL,
174 EF_USES_FD | EF_WRITES_TO_FD,
175 2,
176 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
177 [PPME_SOCKET_SEND_X] = {"send",
178 EC_IO_WRITE | EC_SYSCALL,
179 EF_USES_FD | EF_WRITES_TO_FD,
180 2,
181 {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
182 [PPME_SOCKET_SENDTO_E] = {"sendto",
183 EC_IO_WRITE | EC_SYSCALL,
184 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE,
185 3,
186 {{"fd", PT_FD, PF_DEC},
187 {"size", PT_UINT32, PF_DEC},
188 {"tuple", PT_SOCKTUPLE, PF_NA}}},
189 [PPME_SOCKET_SENDTO_X] = {"sendto",
190 EC_IO_WRITE | EC_SYSCALL,
191 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE,
192 2,
193 {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
194 [PPME_SOCKET_RECV_E] = {"recv",
195 EC_IO_READ | EC_SYSCALL,
196 EF_USES_FD | EF_READS_FROM_FD,
197 2,
198 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
199 [PPME_SOCKET_RECV_X] = {"recv",
200 EC_IO_READ | EC_SYSCALL,
201 EF_USES_FD | EF_READS_FROM_FD,
202 2,
203 {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
204 [PPME_SOCKET_RECVFROM_E] = {"recvfrom",
205 EC_IO_READ | EC_SYSCALL,
206 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE,
207 2,
208 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
209 [PPME_SOCKET_RECVFROM_X] = {"recvfrom",
210 EC_IO_READ | EC_SYSCALL,
211 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE,
212 3,
213 {{"res", PT_ERRNO, PF_DEC},
214 {"data", PT_BYTEBUF, PF_NA},
215 {"tuple", PT_SOCKTUPLE, PF_NA}}},
216 [PPME_SOCKET_SHUTDOWN_E] = {"shutdown",
217 EC_NET | EC_SYSCALL,
218 EF_USES_FD | EF_MODIFIES_STATE,
219 2,
220 {{"fd", PT_FD, PF_DEC},
221 {"how", PT_ENUMFLAGS8, PF_HEX, shutdown_how}}},
222 [PPME_SOCKET_SHUTDOWN_X] = {"shutdown",
223 EC_NET | EC_SYSCALL,
224 EF_USES_FD | EF_MODIFIES_STATE,
225 1,
226 {{"res", PT_ERRNO, PF_DEC}}},
227 [PPME_SOCKET_GETSOCKNAME_E] = {"getsockname", EC_NET | EC_SYSCALL, EF_NONE, 0},
228 [PPME_SOCKET_GETSOCKNAME_X] = {"getsockname", EC_NET | EC_SYSCALL, EF_NONE, 0},
229 [PPME_SOCKET_GETPEERNAME_E] = {"getpeername", EC_NET | EC_SYSCALL, EF_NONE, 0},
230 [PPME_SOCKET_GETPEERNAME_X] = {"getpeername", EC_NET | EC_SYSCALL, EF_NONE, 0},
231 [PPME_SOCKET_SOCKETPAIR_E] = {"socketpair",
232 EC_IPC | EC_SYSCALL,
233 EF_CREATES_FD | EF_MODIFIES_STATE,
234 3,
235 {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
236 {"type", PT_UINT32, PF_DEC},
237 {"proto", PT_UINT32, PF_DEC}}},
238 [PPME_SOCKET_SOCKETPAIR_X] = {"socketpair",
239 EC_IPC | EC_SYSCALL,
240 EF_CREATES_FD | EF_MODIFIES_STATE,
241 5,
242 {{"res", PT_ERRNO, PF_DEC},
243 {"fd1", PT_FD, PF_DEC},
244 {"fd2", PT_FD, PF_DEC},
245 {"source", PT_UINT64, PF_HEX},
246 {"peer", PT_UINT64, PF_HEX}}},
247 [PPME_SOCKET_SETSOCKOPT_E] = {"setsockopt", EC_NET | EC_SYSCALL, EF_NONE, 0},
248 [PPME_SOCKET_SETSOCKOPT_X] =
249 {"setsockopt",
250 EC_NET | EC_SYSCALL,
251 EF_USES_FD,
252 6,
253 {{"res", PT_ERRNO, PF_DEC},
254 {"fd", PT_FD, PF_DEC},
255 {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels},
256 {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options},
257 {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX},
258 {"optlen", PT_UINT32, PF_DEC}}},
259 [PPME_SOCKET_GETSOCKOPT_E] = {"getsockopt", EC_NET | EC_SYSCALL, EF_MODIFIES_STATE, 0},
260 [PPME_SOCKET_GETSOCKOPT_X] =
261 {"getsockopt",
262 EC_NET | EC_SYSCALL,
263 EF_USES_FD | EF_MODIFIES_STATE,
264 6,
265 {{"res", PT_ERRNO, PF_DEC},
266 {"fd", PT_FD, PF_DEC},
267 {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels},
268 {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options},
269 {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX},
270 {"optlen", PT_UINT32, PF_DEC}}},
271 [PPME_SOCKET_SENDMSG_E] = {"sendmsg",
272 EC_IO_WRITE | EC_SYSCALL,
273 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE,
274 3,
275 {{"fd", PT_FD, PF_DEC},
276 {"size", PT_UINT32, PF_DEC},
277 {"tuple", PT_SOCKTUPLE, PF_NA}}},
278 [PPME_SOCKET_SENDMSG_X] = {"sendmsg",
279 EC_IO_WRITE | EC_SYSCALL,
280 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE,
281 2,
282 {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
283 [PPME_SOCKET_SENDMMSG_E] = {"sendmmsg", EC_IO_WRITE | EC_SYSCALL, EF_NONE, 0},
284 [PPME_SOCKET_SENDMMSG_X] = {"sendmmsg",
285 EC_IO_WRITE | EC_SYSCALL,
286 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE,
287 5,
288 {{"res", PT_ERRNO, PF_DEC},
289 {"fd", PT_FD, PF_DEC},
290 {"size", PT_UINT32, PF_DEC},
291 {"data", PT_BYTEBUF, PF_NA},
292 {"tuple", PT_SOCKTUPLE, PF_NA}}},
293 [PPME_SOCKET_RECVMSG_E] = {"recvmsg",
294 EC_IO_READ | EC_SYSCALL,
295 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE,
296 1,
297 {{"fd", PT_FD, PF_DEC}}},
298 [PPME_SOCKET_RECVMSG_X] = {"recvmsg",
299 EC_IO_READ | EC_SYSCALL,
300 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE,
301 5,
302 {{"res", PT_ERRNO, PF_DEC},
303 {"size", PT_UINT32, PF_DEC},
304 {"data", PT_BYTEBUF, PF_NA},
305 {"tuple", PT_SOCKTUPLE, PF_NA},
306 {"msgcontrol", PT_BYTEBUF, PF_NA}}},
307 [PPME_SOCKET_RECVMMSG_E] = {"recvmmsg", EC_IO_READ | EC_SYSCALL, EF_NONE, 0},
308 [PPME_SOCKET_RECVMMSG_X] = {"recvmmsg",
309 EC_IO_READ | EC_SYSCALL,
310 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE,
311 6,
312 {{"res", PT_ERRNO, PF_DEC},
313 {"fd", PT_FD, PF_DEC},
314 {"size", PT_UINT32, PF_DEC},
315 {"data", PT_BYTEBUF, PF_NA},
316 {"tuple", PT_SOCKTUPLE, PF_NA},
317 {"msgcontrol", PT_BYTEBUF, PF_NA}}},
318 [PPME_SOCKET_ACCEPT4_E] = {"accept",
319 EC_NET | EC_SYSCALL,
320 EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
321 1,
322 {{"flags", PT_INT32, PF_HEX}}},
323 [PPME_SOCKET_ACCEPT4_X] = {"accept",
324 EC_NET | EC_SYSCALL,
325 EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
326 3,
327 {{"fd", PT_FD, PF_DEC},
328 {"tuple", PT_SOCKTUPLE, PF_NA},
329 {"queuepct", PT_UINT8, PF_DEC}}},
330 [PPME_SYSCALL_CREAT_E] = {"creat",
331 EC_FILE | EC_SYSCALL,
332 EF_CREATES_FD | EF_MODIFIES_STATE,
333 2,
334 {{"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT}}},
335 [PPME_SYSCALL_CREAT_X] = {"creat",
336 EC_FILE | EC_SYSCALL,
337 EF_CREATES_FD | EF_MODIFIES_STATE,
338 6,
339 {{"fd", PT_FD, PF_DEC},
340 {"name", PT_FSPATH, PF_NA},
341 {"mode", PT_UINT32, PF_OCT},
342 {"dev", PT_UINT32, PF_HEX},
343 {"ino", PT_UINT64, PF_DEC},
344 {"creat_flags", PT_FLAGS16, PF_HEX, creat_flags}}},
345 [PPME_SYSCALL_PIPE_E] = {"pipe", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
346 [PPME_SYSCALL_PIPE_X] = {"pipe",
347 EC_IPC | EC_SYSCALL,
348 EF_CREATES_FD | EF_MODIFIES_STATE,
349 4,
350 {{"res", PT_ERRNO, PF_DEC},
351 {"fd1", PT_FD, PF_DEC},
352 {"fd2", PT_FD, PF_DEC},
353 {"ino", PT_UINT64, PF_DEC}}},
354 [PPME_SYSCALL_EVENTFD_E] = {"eventfd",
355 EC_IPC | EC_SYSCALL,
356 EF_CREATES_FD | EF_MODIFIES_STATE,
357 2,
358 {{"initval", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX}}},
359 [PPME_SYSCALL_EVENTFD_X] = {"eventfd",
360 EC_IPC | EC_SYSCALL,
361 EF_CREATES_FD | EF_MODIFIES_STATE,
362 1,
363 {{"res", PT_FD, PF_DEC}}},
364 [PPME_SYSCALL_FUTEX_E] = {"futex",
365 EC_IPC | EC_SYSCALL,
366 EF_NONE,
367 3,
368 {{"addr", PT_UINT64, PF_HEX},
369 {"op", PT_FLAGS16, PF_HEX, futex_operations},
370 {"val", PT_UINT64, PF_DEC}}},
371 [PPME_SYSCALL_FUTEX_X] =
372 {"futex", EC_IPC | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
373 [PPME_SYSCALL_STAT_E] = {"stat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
374 [PPME_SYSCALL_STAT_X] = {"stat",
375 EC_FILE | EC_SYSCALL,
376 EF_NONE,
377 2,
378 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
379 [PPME_SYSCALL_LSTAT_E] = {"lstat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
380 [PPME_SYSCALL_LSTAT_X] = {"lstat",
381 EC_FILE | EC_SYSCALL,
382 EF_NONE,
383 2,
384 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
385 [PPME_SYSCALL_FSTAT_E] =
386 {"fstat", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"fd", PT_FD, PF_NA}}},
387 [PPME_SYSCALL_FSTAT_X] =
388 {"fstat", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
389 [PPME_SYSCALL_STAT64_E] = {"stat64", EC_FILE | EC_SYSCALL, EF_NONE, 0},
390 [PPME_SYSCALL_STAT64_X] = {"stat64",
391 EC_FILE | EC_SYSCALL,
392 EF_NONE,
393 2,
394 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
395 [PPME_SYSCALL_LSTAT64_E] = {"lstat64", EC_FILE | EC_SYSCALL, EF_NONE, 0},
396 [PPME_SYSCALL_LSTAT64_X] = {"lstat64",
397 EC_FILE | EC_SYSCALL,
398 EF_NONE,
399 2,
400 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
401 [PPME_SYSCALL_FSTAT64_E] =
402 {"fstat64", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"fd", PT_FD, PF_NA}}},
403 [PPME_SYSCALL_FSTAT64_X] =
404 {"fstat64", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
405 [PPME_SYSCALL_EPOLLWAIT_E] = {"epoll_wait",
406 EC_WAIT | EC_SYSCALL,
407 EF_WAITS,
408 1,
409 {{"maxevents", PT_ERRNO, PF_DEC}}},
410 [PPME_SYSCALL_EPOLLWAIT_X] =
411 {"epoll_wait", EC_WAIT | EC_SYSCALL, EF_WAITS, 1, {{"res", PT_ERRNO, PF_DEC}}},
412 [PPME_SYSCALL_POLL_E] = {"poll",
413 EC_WAIT | EC_SYSCALL,
414 EF_WAITS,
415 2,
416 {{"fds", PT_FDLIST, PF_DEC}, {"timeout", PT_INT64, PF_DEC}}},
417 [PPME_SYSCALL_POLL_X] = {"poll",
418 EC_WAIT | EC_SYSCALL,
419 EF_WAITS,
420 2,
421 {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC}}},
422 [PPME_SYSCALL_SELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_WAITS, 0},
423 [PPME_SYSCALL_SELECT_X] =
424 {"select", EC_WAIT | EC_SYSCALL, EF_WAITS, 1, {{"res", PT_ERRNO, PF_DEC}}},
425 [PPME_SYSCALL_NEWSELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_WAITS | EF_OLD_VERSION, 0},
426 [PPME_SYSCALL_NEWSELECT_X] = {"select",
427 EC_WAIT | EC_SYSCALL,
428 EF_WAITS | EF_OLD_VERSION,
429 1,
430 {{"res", PT_ERRNO, PF_DEC}}},
431 [PPME_SYSCALL_LSEEK_E] = {"lseek",
432 EC_FILE | EC_SYSCALL,
433 EF_USES_FD,
434 3,
435 {{"fd", PT_FD, PF_DEC},
436 {"offset", PT_UINT64, PF_DEC},
437 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
438 [PPME_SYSCALL_LSEEK_X] =
439 {"lseek", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
440 [PPME_SYSCALL_LLSEEK_E] = {"llseek",
441 EC_FILE | EC_SYSCALL,
442 EF_USES_FD,
443 3,
444 {{"fd", PT_FD, PF_DEC},
445 {"offset", PT_UINT64, PF_DEC},
446 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
447 [PPME_SYSCALL_LLSEEK_X] =
448 {"llseek", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
449 [PPME_SYSCALL_IOCTL_2_E] = {"ioctl",
450 EC_IO_OTHER | EC_SYSCALL,
451 EF_USES_FD | EF_OLD_VERSION,
452 2,
453 {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX}}},
454 [PPME_SYSCALL_IOCTL_2_X] = {"ioctl",
455 EC_IO_OTHER | EC_SYSCALL,
456 EF_USES_FD | EF_OLD_VERSION,
457 1,
458 {{"res", PT_ERRNO, PF_DEC}}},
459 [PPME_SYSCALL_GETCWD_E] = {"getcwd", EC_FILE | EC_SYSCALL, EF_NONE, 0},
460 [PPME_SYSCALL_GETCWD_X] = {"getcwd",
463 EC_FILE | EC_SYSCALL,
464 EF_NONE,
465 2,
466 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA}}},
467 [PPME_SYSCALL_CHDIR_E] = {"chdir", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 0},
470 [PPME_SYSCALL_CHDIR_X] = {"chdir",
471 EC_FILE | EC_SYSCALL,
472 EF_MODIFIES_STATE,
473 2,
474 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA}}},
475 [PPME_SYSCALL_FCHDIR_E] = {"fchdir",
476 EC_FILE | EC_SYSCALL,
477 EF_USES_FD | EF_MODIFIES_STATE,
478 1,
479 {{"fd", PT_FD, PF_NA}}},
480 [PPME_SYSCALL_FCHDIR_X] = {"fchdir",
481 EC_FILE | EC_SYSCALL,
482 EF_USES_FD | EF_MODIFIES_STATE,
483 1,
484 {{"res", PT_ERRNO, PF_DEC}}},
485 [PPME_SYSCALL_MKDIR_E] = {"mkdir",
486 EC_FILE | EC_SYSCALL,
487 EF_OLD_VERSION,
488 2,
489 {{"path", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_HEX}}},
490 [PPME_SYSCALL_MKDIR_X] =
491 {"mkdir", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
492 [PPME_SYSCALL_RMDIR_E] =
493 {"rmdir", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"path", PT_FSPATH, PF_NA}}},
494 [PPME_SYSCALL_RMDIR_X] =
495 {"rmdir", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
496 [PPME_SYSCALL_OPENAT_E] = {"openat",
497 EC_FILE | EC_SYSCALL,
498 EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
499 4,
500 {{"dirfd", PT_FD, PF_DEC},
501 {"name", PT_CHARBUF, PF_NA},
502 {"flags", PT_FLAGS32, PF_HEX, file_flags},
503 {"mode", PT_UINT32, PF_OCT}}},
504 [PPME_SYSCALL_OPENAT_X] = {"openat",
505 EC_FILE | EC_SYSCALL,
506 EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
507 1,
508 {{"fd", PT_FD, PF_DEC}}},
509 [PPME_SYSCALL_LINK_E] = {"link",
510 EC_FILE | EC_SYSCALL,
511 EF_OLD_VERSION,
512 2,
513 {{"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA}}},
514 [PPME_SYSCALL_LINK_X] =
515 {"link", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
516 [PPME_SYSCALL_LINKAT_E] = {"linkat",
517 EC_FILE | EC_SYSCALL,
518 EF_OLD_VERSION,
519 4,
520 {{"olddir", PT_FD, PF_DEC},
521 {"oldpath", PT_CHARBUF, PF_NA},
522 {"newdir", PT_FD, PF_DEC},
523 {"newpath", PT_CHARBUF, PF_NA}}},
524 [PPME_SYSCALL_LINKAT_X] =
525 {"linkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
526 [PPME_SYSCALL_UNLINK_E] =
527 {"unlink", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"path", PT_FSPATH, PF_NA}}},
528 [PPME_SYSCALL_UNLINK_X] =
529 {"unlink", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
530 [PPME_SYSCALL_UNLINKAT_E] = {"unlinkat",
531 EC_FILE | EC_SYSCALL,
532 EF_OLD_VERSION,
533 2,
534 {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA}}},
535 [PPME_SYSCALL_UNLINKAT_X] =
536 {"unlinkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
537 [PPME_SYSCALL_PREAD_E] = {"pread",
538 EC_IO_READ | EC_SYSCALL,
539 EF_USES_FD | EF_READS_FROM_FD | EF_TMP_CONVERTER_MANAGED,
540 3,
541 {{"fd", PT_FD, PF_DEC},
542 {"size", PT_UINT32, PF_DEC},
543 {"pos", PT_UINT64, PF_DEC}}},
544 [PPME_SYSCALL_PREAD_X] = {"pread",
545 EC_IO_READ | EC_SYSCALL,
546 EF_USES_FD | EF_READS_FROM_FD | EF_TMP_CONVERTER_MANAGED,
547 5,
548 {{"res", PT_ERRNO, PF_DEC},
549 {"data", PT_BYTEBUF, PF_NA},
550 {"fd", PT_FD, PF_DEC},
551 {"size", PT_UINT32, PF_DEC},
552 {"pos", PT_UINT64, PF_DEC}}},
553 [PPME_SYSCALL_PWRITE_E] = {"pwrite",
554 EC_IO_WRITE | EC_SYSCALL,
555 EF_USES_FD | EF_WRITES_TO_FD | EF_TMP_CONVERTER_MANAGED,
556 3,
557 {{"fd", PT_FD, PF_DEC},
558 {"size", PT_UINT32, PF_DEC},
559 {"pos", PT_UINT64, PF_DEC}}},
560 [PPME_SYSCALL_PWRITE_X] = {"pwrite",
561 EC_IO_WRITE | EC_SYSCALL,
562 EF_USES_FD | EF_WRITES_TO_FD | EF_TMP_CONVERTER_MANAGED,
563 5,
564 {{"res", PT_ERRNO, PF_DEC},
565 {"data", PT_BYTEBUF, PF_NA},
566 {"fd", PT_FD, PF_DEC},
567 {"size", PT_UINT32, PF_DEC},
568 {"pos", PT_UINT64, PF_DEC}}},
569 [PPME_SYSCALL_READV_E] = {"readv",
570 EC_IO_READ | EC_SYSCALL,
571 EF_USES_FD | EF_READS_FROM_FD,
572 1,
573 {{"fd", PT_FD, PF_DEC}}},
574 [PPME_SYSCALL_READV_X] = {"readv",
575 EC_IO_READ | EC_SYSCALL,
576 EF_USES_FD | EF_READS_FROM_FD,
577 3,
578 {{"res", PT_ERRNO, PF_DEC},
579 {"size", PT_UINT32, PF_DEC},
580 {"data", PT_BYTEBUF, PF_NA}}},
581 [PPME_SYSCALL_WRITEV_E] = {"writev",
582 EC_IO_WRITE | EC_SYSCALL,
583 EF_USES_FD | EF_WRITES_TO_FD,
584 2,
585 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
586 [PPME_SYSCALL_WRITEV_X] = {"writev",
587 EC_IO_WRITE | EC_SYSCALL,
588 EF_USES_FD | EF_WRITES_TO_FD,
589 2,
590 {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
591 [PPME_SYSCALL_PREADV_E] = {"preadv",
592 EC_IO_READ | EC_SYSCALL,
593 EF_USES_FD | EF_READS_FROM_FD,
594 2,
595 {{"fd", PT_FD, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
596 [PPME_SYSCALL_PREADV_X] = {"preadv",
597 EC_IO_READ | EC_SYSCALL,
598 EF_USES_FD | EF_READS_FROM_FD,
599 3,
600 {{"res", PT_ERRNO, PF_DEC},
601 {"size", PT_UINT32, PF_DEC},
602 {"data", PT_BYTEBUF, PF_NA}}},
603 [PPME_SYSCALL_PWRITEV_E] = {"pwritev",
604 EC_IO_WRITE | EC_SYSCALL,
605 EF_USES_FD | EF_WRITES_TO_FD,
606 3,
607 {{"fd", PT_FD, PF_DEC},
608 {"size", PT_UINT32, PF_DEC},
609 {"pos", PT_UINT64, PF_DEC}}},
610 [PPME_SYSCALL_PWRITEV_X] = {"pwritev",
611 EC_IO_WRITE | EC_SYSCALL,
612 EF_USES_FD | EF_WRITES_TO_FD,
613 2,
614 {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
615 [PPME_SYSCALL_DUP_E] = {"dup",
616 EC_IO_OTHER | EC_SYSCALL,
617 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
618 1,
619 {{"fd", PT_FD, PF_DEC}}},
620 [PPME_SYSCALL_DUP_X] = {"dup",
621 EC_IO_OTHER | EC_SYSCALL,
622 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
623 1,
624 {{"res", PT_FD, PF_DEC}}},
625 [PPME_SYSCALL_SIGNALFD_E] = {"signalfd",
626 EC_SIGNAL | EC_SYSCALL,
627 EF_CREATES_FD | EF_MODIFIES_STATE,
628 3,
629 {{"fd", PT_FD, PF_DEC},
630 {"mask", PT_UINT32, PF_HEX},
631 {"flags", PT_UINT8, PF_HEX}}},
632 [PPME_SYSCALL_SIGNALFD_X] = {"signalfd",
633 EC_SIGNAL | EC_SYSCALL,
634 EF_CREATES_FD | EF_MODIFIES_STATE,
635 1,
636 {{"res", PT_FD, PF_DEC}}},
637 [PPME_SYSCALL_KILL_E] = {"kill",
638 EC_SIGNAL | EC_SYSCALL,
639 EF_NONE,
640 2,
641 {{"pid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}}},
642 [PPME_SYSCALL_KILL_X] =
643 {"kill", EC_SIGNAL | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
644 [PPME_SYSCALL_TKILL_E] = {"tkill",
645 EC_SIGNAL | EC_SYSCALL,
646 EF_NONE,
647 2,
648 {{"tid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}}},
649 [PPME_SYSCALL_TKILL_X] =
650 {"tkill", EC_SIGNAL | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
651 [PPME_SYSCALL_TGKILL_E] = {"tgkill",
652 EC_SIGNAL | EC_SYSCALL,
653 EF_NONE,
654 3,
655 {{"pid", PT_PID, PF_DEC},
656 {"tid", PT_PID, PF_DEC},
657 {"sig", PT_SIGTYPE, PF_DEC}}},
658 [PPME_SYSCALL_TGKILL_X] =
659 {"tgkill", EC_SIGNAL | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
660 [PPME_SYSCALL_NANOSLEEP_E] = {"nanosleep",
661 EC_SLEEP | EC_SYSCALL,
662 EF_WAITS,
663 1,
664 {{"interval", PT_RELTIME, PF_DEC}}},
665 [PPME_SYSCALL_NANOSLEEP_X] =
666 {"nanosleep", EC_SLEEP | EC_SYSCALL, EF_WAITS, 1, {{"res", PT_ERRNO, PF_DEC}}},
667 [PPME_SYSCALL_TIMERFD_CREATE_E] = {"timerfd_create",
668 EC_TIME | EC_SYSCALL,
669 EF_CREATES_FD | EF_MODIFIES_STATE,
670 2,
671 {{"clockid", PT_UINT8, PF_DEC},
672 {"flags", PT_UINT8, PF_HEX}}},
673 [PPME_SYSCALL_TIMERFD_CREATE_X] = {"timerfd_create",
674 EC_TIME | EC_SYSCALL,
675 EF_CREATES_FD | EF_MODIFIES_STATE,
676 1,
677 {{"res", PT_FD, PF_DEC}}},
678 [PPME_SYSCALL_INOTIFY_INIT_E] = {"inotify_init",
679 EC_IPC | EC_SYSCALL,
680 EF_CREATES_FD | EF_MODIFIES_STATE,
681 1,
682 {{"flags", PT_UINT8, PF_HEX}}},
683 [PPME_SYSCALL_INOTIFY_INIT_X] = {"inotify_init",
684 EC_IPC | EC_SYSCALL,
685 EF_CREATES_FD | EF_MODIFIES_STATE,
686 1,
687 {{"res", PT_FD, PF_DEC}}},
688 [PPME_SYSCALL_GETRLIMIT_E] = {"getrlimit",
689 EC_PROCESS | EC_SYSCALL,
690 EF_NONE,
691 1,
692 {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
693 [PPME_SYSCALL_GETRLIMIT_X] = {"getrlimit",
694 EC_PROCESS | EC_SYSCALL,
695 EF_NONE,
696 3,
697 {{"res", PT_ERRNO, PF_DEC},
698 {"cur", PT_INT64, PF_DEC},
699 {"max", PT_INT64, PF_DEC}}},
700 [PPME_SYSCALL_SETRLIMIT_E] = {"setrlimit",
701 EC_PROCESS | EC_SYSCALL,
702 EF_NONE,
703 1,
704 {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
705 [PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit",
706 EC_PROCESS | EC_SYSCALL,
707 EF_NONE,
708 4,
709 {{"res", PT_ERRNO, PF_DEC},
710 {"cur", PT_INT64, PF_DEC},
711 {"max", PT_INT64, PF_DEC},
712 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
713 [PPME_SYSCALL_PRLIMIT_E] = {"prlimit",
714 EC_PROCESS | EC_SYSCALL,
715 EF_NONE,
716 2,
717 {{"pid", PT_PID, PF_DEC},
718 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
719 [PPME_SYSCALL_PRLIMIT_X] = {"prlimit",
720 EC_PROCESS | EC_SYSCALL,
721 EF_NONE,
722 7,
723 {{"res", PT_ERRNO, PF_DEC},
724 {"newcur", PT_INT64, PF_DEC},
725 {"newmax", PT_INT64, PF_DEC},
726 {"oldcur", PT_INT64, PF_DEC},
727 {"oldmax", PT_INT64, PF_DEC},
728 {"pid", PT_INT64, PF_DEC},
729 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
730 [PPME_SCHEDSWITCH_1_E] = {"switch",
731 EC_SCHEDULER | EC_TRACEPOINT,
732 EF_SKIPPARSERESET | EF_OLD_VERSION,
733 1,
734 {{"next", PT_PID, PF_DEC}}},
735 [PPME_SCHEDSWITCH_1_X] = {"NA",
736 EC_UNKNOWN,
737 EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION,
738 0},
739 [PPME_DROP_E] = {"drop",
740 EC_INTERNAL | EC_METAEVENT,
741 EF_SKIPPARSERESET,
742 1,
743 {{"ratio", PT_UINT32, PF_DEC}}},
744 [PPME_DROP_X] = {"drop",
745 EC_INTERNAL | EC_METAEVENT,
746 EF_SKIPPARSERESET,
747 1,
748 {{"ratio", PT_UINT32, PF_DEC}}},
749 [PPME_SYSCALL_FCNTL_E] = {"fcntl",
750 EC_IO_OTHER | EC_SYSCALL,
751 EF_USES_FD | EF_MODIFIES_STATE,
752 2,
753 {{"fd", PT_FD, PF_DEC},
754 {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands}}},
755 [PPME_SYSCALL_FCNTL_X] = {"fcntl",
756 EC_IO_OTHER | EC_SYSCALL,
757 EF_USES_FD | EF_MODIFIES_STATE,
758 3,
759 {{"res", PT_FD, PF_DEC},
760 {"fd", PT_FD, PF_DEC},
761 {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands}}},
762 [PPME_SCHEDSWITCH_6_E] =
763 {"switch",
764 EC_SCHEDULER | EC_TRACEPOINT,
765 EF_NONE,
766 6,
767 {{"next", PT_PID, PF_DEC},
768 {"pgft_maj", PT_UINT64, PF_DEC},
769 {"pgft_min", PT_UINT64, PF_DEC},
770 {"vm_size", PT_UINT32, PF_DEC},
771 {"vm_rss", PT_UINT32, PF_DEC},
772 {"vm_swap", PT_UINT32, PF_DEC}}},
773 [PPME_SCHEDSWITCH_6_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
774 [PPME_SYSCALL_EXECVE_13_E] = {"execve",
775 EC_PROCESS | EC_SYSCALL,
776 EF_MODIFIES_STATE | EF_OLD_VERSION,
777 0},
778 [PPME_SYSCALL_EXECVE_13_X] = {"execve",
779 EC_PROCESS | EC_SYSCALL,
780 EF_MODIFIES_STATE | EF_OLD_VERSION,
781 13,
782 {{"res", PT_ERRNO, PF_DEC},
783 {"exe", PT_CHARBUF, PF_NA},
784 {"args", PT_BYTEBUF, PF_NA},
785 {"tid", PT_PID, PF_DEC},
786 {"pid", PT_PID, PF_DEC},
787 {"ptid", PT_PID, PF_DEC},
788 {"cwd", PT_CHARBUF, PF_NA},
789 {"fdlimit", PT_UINT64, PF_DEC},
790 {"pgft_maj", PT_UINT64, PF_DEC},
791 {"pgft_min", PT_UINT64, PF_DEC},
792 {"vm_size", PT_UINT32, PF_DEC},
793 {"vm_rss", PT_UINT32, PF_DEC},
794 {"vm_swap", PT_UINT32, PF_DEC}}},
795 [PPME_SYSCALL_CLONE_16_E] = {"clone",
796 EC_PROCESS | EC_SYSCALL,
797 EF_MODIFIES_STATE | EF_OLD_VERSION,
798 0},
799 [PPME_SYSCALL_CLONE_16_X] = {"clone",
800 EC_PROCESS | EC_SYSCALL,
801 EF_MODIFIES_STATE | EF_OLD_VERSION,
802 16,
803 {{"res", PT_PID, PF_DEC},
804 {"exe", PT_CHARBUF, PF_NA},
805 {"args", PT_BYTEBUF, PF_NA},
806 {"tid", PT_PID, PF_DEC},
807 {"pid", PT_PID, PF_DEC},
808 {"ptid", PT_PID, PF_DEC},
809 {"cwd", PT_CHARBUF, PF_NA},
810 {"fdlimit", PT_INT64, PF_DEC},
811 {"pgft_maj", PT_UINT64, PF_DEC},
812 {"pgft_min", PT_UINT64, PF_DEC},
813 {"vm_size", PT_UINT32, PF_DEC},
814 {"vm_rss", PT_UINT32, PF_DEC},
815 {"vm_swap", PT_UINT32, PF_DEC},
816 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
817 {"uid", PT_UINT32, PF_DEC},
818 {"gid", PT_UINT32, PF_DEC}}},
819 [PPME_SYSCALL_BRK_4_E] =
820 {"brk", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"addr", PT_UINT64, PF_HEX}}},
821 [PPME_SYSCALL_BRK_4_X] = {"brk",
822 EC_MEMORY | EC_SYSCALL,
823 EF_NONE,
824 4,
825 {{"res", PT_UINT64, PF_HEX},
826 {"vm_size", PT_UINT32, PF_DEC},
827 {"vm_rss", PT_UINT32, PF_DEC},
828 {"vm_swap", PT_UINT32, PF_DEC}}},
829 [PPME_SYSCALL_MMAP_E] = {"mmap",
830 EC_MEMORY | EC_SYSCALL,
831 EF_USES_FD,
832 6,
833 {{"addr", PT_UINT64, PF_HEX},
834 {"length", PT_UINT64, PF_DEC},
835 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
836 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
837 {"fd", PT_FD, PF_DEC},
838 {"offset", PT_UINT64, PF_DEC}}},
839 [PPME_SYSCALL_MMAP_X] = {"mmap",
840 EC_MEMORY | EC_SYSCALL,
841 EF_NONE,
842 4,
843 {{"res", PT_ERRNO, PF_HEX},
844 {"vm_size", PT_UINT32, PF_DEC},
845 {"vm_rss", PT_UINT32, PF_DEC},
846 {"vm_swap", PT_UINT32, PF_DEC}}},
847 [PPME_SYSCALL_MMAP2_E] = {"mmap2",
848 EC_MEMORY | EC_SYSCALL,
849 EF_USES_FD,
850 6,
851 {{"addr", PT_UINT64, PF_HEX},
852 {"length", PT_UINT64, PF_DEC},
853 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
854 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
855 {"fd", PT_FD, PF_DEC},
856 {"pgoffset", PT_UINT64, PF_DEC}}},
857 [PPME_SYSCALL_MMAP2_X] = {"mmap2",
858 EC_MEMORY | EC_SYSCALL,
859 EF_NONE,
860 4,
861 {{"res", PT_ERRNO, PF_HEX},
862 {"vm_size", PT_UINT32, PF_DEC},
863 {"vm_rss", PT_UINT32, PF_DEC},
864 {"vm_swap", PT_UINT32, PF_DEC}}},
865 [PPME_SYSCALL_MUNMAP_E] = {"munmap",
866 EC_MEMORY | EC_SYSCALL,
867 EF_NONE,
868 2,
869 {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}}},
870 [PPME_SYSCALL_MUNMAP_X] = {"munmap",
871 EC_MEMORY | EC_SYSCALL,
872 EF_NONE,
873 4,
874 {{"res", PT_ERRNO, PF_DEC},
875 {"vm_size", PT_UINT32, PF_DEC},
876 {"vm_rss", PT_UINT32, PF_DEC},
877 {"vm_swap", PT_UINT32, PF_DEC}}},
878 [PPME_SYSCALL_SPLICE_E] = {"splice",
879 EC_IO_OTHER | EC_SYSCALL,
880 EF_USES_FD,
881 4,
882 {{"fd_in", PT_FD, PF_DEC},
883 {"fd_out", PT_FD, PF_DEC},
884 {"size", PT_UINT64, PF_DEC},
885 {"flags", PT_FLAGS32, PF_HEX, splice_flags}}},
886 [PPME_SYSCALL_SPLICE_X] =
887 {"splice", EC_IO_OTHER | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
888 [PPME_SYSCALL_PTRACE_E] = {"ptrace",
889 EC_PROCESS | EC_SYSCALL,
890 EF_NONE,
891 2,
892 {{"request", PT_ENUMFLAGS16, PF_DEC, ptrace_requests},
893 {"pid", PT_PID, PF_DEC}}},
894 [PPME_SYSCALL_PTRACE_X] =
895 {"ptrace",
896 EC_PROCESS | EC_SYSCALL,
897 EF_NONE,
898 3,
899 {{"res", PT_ERRNO, PF_DEC},
900 {"addr", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX},
901 {"data", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX}}},
902 [PPME_SYSCALL_IOCTL_3_E] = {"ioctl",
903 EC_IO_OTHER | EC_SYSCALL,
904 EF_USES_FD,
905 3,
906 {{"fd", PT_FD, PF_DEC},
907 {"request", PT_UINT64, PF_HEX},
908 {"argument", PT_UINT64, PF_HEX}}},
909 [PPME_SYSCALL_IOCTL_3_X] =
910 {"ioctl", EC_IO_OTHER | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
911 [PPME_SYSCALL_EXECVE_14_E] = {"execve",
912 EC_PROCESS | EC_SYSCALL,
913 EF_MODIFIES_STATE | EF_OLD_VERSION,
914 0},
915 [PPME_SYSCALL_EXECVE_14_X] = {"execve",
916 EC_PROCESS | EC_SYSCALL,
917 EF_MODIFIES_STATE | EF_OLD_VERSION,
918 14,
919 {{"res", PT_ERRNO, PF_DEC},
920 {"exe", PT_CHARBUF, PF_NA},
921 {"args", PT_BYTEBUF, PF_NA},
922 {"tid", PT_PID, PF_DEC},
923 {"pid", PT_PID, PF_DEC},
924 {"ptid", PT_PID, PF_DEC},
925 {"cwd", PT_CHARBUF, PF_NA},
926 {"fdlimit", PT_UINT64, PF_DEC},
927 {"pgft_maj", PT_UINT64, PF_DEC},
928 {"pgft_min", PT_UINT64, PF_DEC},
929 {"vm_size", PT_UINT32, PF_DEC},
930 {"vm_rss", PT_UINT32, PF_DEC},
931 {"vm_swap", PT_UINT32, PF_DEC},
932 {"env", PT_BYTEBUF, PF_NA}}},
933 [PPME_SYSCALL_RENAME_E] = {"rename", EC_FILE | EC_SYSCALL, EF_NONE, 0},
934 [PPME_SYSCALL_RENAME_X] = {"rename",
935 EC_FILE | EC_SYSCALL,
936 EF_NONE,
937 3,
938 {{"res", PT_ERRNO, PF_DEC},
939 {"oldpath", PT_FSPATH, PF_NA},
940 {"newpath", PT_FSPATH, PF_NA}}},
941 [PPME_SYSCALL_RENAMEAT_E] = {"renameat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
942 [PPME_SYSCALL_RENAMEAT_X] = {"renameat",
943 EC_FILE | EC_SYSCALL,
944 EF_NONE,
945 5,
946 {{"res", PT_ERRNO, PF_DEC},
947 {"olddirfd", PT_FD, PF_DEC},
948 {"oldpath", PT_FSRELPATH, PF_NA, 1},
949 {"newdirfd", PT_FD, PF_DEC},
950 {"newpath", PT_FSRELPATH, PF_NA, 3}}},
951 [PPME_SYSCALL_SYMLINK_E] = {"symlink", EC_FILE | EC_SYSCALL, EF_NONE, 0},
952 [PPME_SYSCALL_SYMLINK_X] = {"symlink",
953 EC_FILE | EC_SYSCALL,
954 EF_NONE,
955 3,
956 {{"res", PT_ERRNO, PF_DEC},
957 {"target", PT_CHARBUF, PF_NA},
958 {"linkpath", PT_FSPATH, PF_NA}}},
959 [PPME_SYSCALL_SYMLINKAT_E] = {"symlinkat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
960 [PPME_SYSCALL_SYMLINKAT_X] = {"symlinkat",
961 EC_FILE | EC_SYSCALL,
962 EF_NONE,
963 4,
964 {{"res", PT_ERRNO, PF_DEC},
965 {"target", PT_CHARBUF, PF_NA},
966 {"linkdirfd", PT_FD, PF_DEC},
967 {"linkpath", PT_FSRELPATH, PF_NA, 2}}},
968 [PPME_SYSCALL_FORK_E] = {"fork",
969 EC_PROCESS | EC_SYSCALL,
970 EF_MODIFIES_STATE | EF_OLD_VERSION,
971 0},
972 [PPME_SYSCALL_FORK_X] = {"fork",
973 EC_PROCESS | EC_SYSCALL,
974 EF_MODIFIES_STATE | EF_OLD_VERSION,
975 16,
976 {{"res", PT_PID, PF_DEC},
977 {"exe", PT_CHARBUF, PF_NA},
978 {"args", PT_BYTEBUF, PF_NA},
979 {"tid", PT_PID, PF_DEC},
980 {"pid", PT_PID, PF_DEC},
981 {"ptid", PT_PID, PF_DEC},
982 {"cwd", PT_CHARBUF, PF_NA},
983 {"fdlimit", PT_INT64, PF_DEC},
984 {"pgft_maj", PT_UINT64, PF_DEC},
985 {"pgft_min", PT_UINT64, PF_DEC},
986 {"vm_size", PT_UINT32, PF_DEC},
987 {"vm_rss", PT_UINT32, PF_DEC},
988 {"vm_swap", PT_UINT32, PF_DEC},
989 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
990 {"uid", PT_UINT32, PF_DEC},
991 {"gid", PT_UINT32, PF_DEC}}},
992 [PPME_SYSCALL_VFORK_E] = {"vfork",
993 EC_PROCESS | EC_SYSCALL,
994 EF_MODIFIES_STATE | EF_OLD_VERSION,
995 0},
996 [PPME_SYSCALL_VFORK_X] = {"vfork",
997 EC_PROCESS | EC_SYSCALL,
998 EF_MODIFIES_STATE | EF_OLD_VERSION,
999 16,
1000 {{"res", PT_PID, PF_DEC},
1001 {"exe", PT_CHARBUF, PF_NA},
1002 {"args", PT_BYTEBUF, PF_NA},
1003 {"tid", PT_PID, PF_DEC},
1004 {"pid", PT_PID, PF_DEC},
1005 {"ptid", PT_PID, PF_DEC},
1006 {"cwd", PT_CHARBUF, PF_NA},
1007 {"fdlimit", PT_INT64, PF_DEC},
1008 {"pgft_maj", PT_UINT64, PF_DEC},
1009 {"pgft_min", PT_UINT64, PF_DEC},
1010 {"vm_size", PT_UINT32, PF_DEC},
1011 {"vm_rss", PT_UINT32, PF_DEC},
1012 {"vm_swap", PT_UINT32, PF_DEC},
1013 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1014 {"uid", PT_UINT32, PF_DEC},
1015 {"gid", PT_UINT32, PF_DEC}}},
1016 [PPME_PROCEXIT_1_E] = {"procexit",
1017 EC_PROCESS | EC_TRACEPOINT,
1018 EF_MODIFIES_STATE,
1019 5,
1020 {{"status", PT_ERRNO, PF_DEC},
1021 {"ret", PT_ERRNO, PF_DEC},
1022 {"sig", PT_SIGTYPE, PF_DEC},
1023 {"core", PT_UINT8, PF_DEC},
1024 {"reaper_tid", PT_PID, PF_DEC}}},
1025 [PPME_PROCEXIT_1_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1026 [PPME_SYSCALL_SENDFILE_E] = {"sendfile",
1027 EC_IO_WRITE | EC_SYSCALL,
1028 EF_USES_FD,
1029 4,
1030 {{"out_fd", PT_FD, PF_DEC},
1031 {"in_fd", PT_FD, PF_DEC},
1032 {"offset", PT_UINT64, PF_DEC},
1033 {"size", PT_UINT64, PF_DEC}}},
1034 [PPME_SYSCALL_SENDFILE_X] = {"sendfile",
1035 EC_IO_WRITE | EC_SYSCALL,
1036 EF_USES_FD,
1037 2,
1038 {{"res", PT_ERRNO, PF_DEC}, {"offset", PT_UINT64, PF_DEC}}},
1039 [PPME_SYSCALL_QUOTACTL_E] = {"quotactl",
1040 EC_USER | EC_SYSCALL,
1041 EF_NONE,
1042 4,
1043 {{"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds},
1044 {"type", PT_FLAGS8, PF_DEC, quotactl_types},
1045 {"id", PT_UINT32, PF_DEC},
1046 {"quota_fmt", PT_FLAGS8, PF_DEC, quotactl_quota_fmts}}},
1047 [PPME_SYSCALL_QUOTACTL_X] = {"quotactl",
1048 EC_USER | EC_SYSCALL,
1049 EF_NONE,
1050 14,
1051 {{"res", PT_ERRNO, PF_DEC},
1052 {"special", PT_CHARBUF, PF_NA},
1053 {"quotafilepath", PT_CHARBUF, PF_NA},
1054 {"dqb_bhardlimit", PT_UINT64, PF_DEC},
1055 {"dqb_bsoftlimit", PT_UINT64, PF_DEC},
1056 {"dqb_curspace", PT_UINT64, PF_DEC},
1057 {"dqb_ihardlimit", PT_UINT64, PF_DEC},
1058 {"dqb_isoftlimit", PT_UINT64, PF_DEC},
1059 {"dqb_btime", PT_RELTIME, PF_DEC},
1060 {"dqb_itime", PT_RELTIME, PF_DEC},
1061 {"dqi_bgrace", PT_RELTIME, PF_DEC},
1062 {"dqi_igrace", PT_RELTIME, PF_DEC},
1063 {"dqi_flags", PT_FLAGS8, PF_DEC, quotactl_dqi_flags},
1064 {"quota_fmt_out", PT_FLAGS8, PF_DEC, quotactl_quota_fmts}}},
1065 [PPME_SYSCALL_SETRESUID_E] = {"setresuid",
1066 EC_USER | EC_SYSCALL,
1067 EF_MODIFIES_STATE,
1068 3,
1069 {{"ruid", PT_UID, PF_DEC},
1070 {"euid", PT_UID, PF_DEC},
1071 {"suid", PT_UID, PF_DEC}}},
1072 [PPME_SYSCALL_SETRESUID_X] = {"setresuid",
1073 EC_USER | EC_SYSCALL,
1074 EF_MODIFIES_STATE,
1075 1,
1076 {{"res", PT_ERRNO, PF_DEC}}},
1077 [PPME_SYSCALL_SETRESGID_E] = {"setresgid",
1078 EC_USER | EC_SYSCALL,
1079 EF_MODIFIES_STATE,
1080 3,
1081 {{"rgid", PT_GID, PF_DEC},
1082 {"egid", PT_GID, PF_DEC},
1083 {"sgid", PT_GID, PF_DEC}}},
1084 [PPME_SYSCALL_SETRESGID_X] = {"setresgid",
1085 EC_USER | EC_SYSCALL,
1086 EF_MODIFIES_STATE,
1087 1,
1088 {{"res", PT_ERRNO, PF_DEC}}},
1089 [PPME_SCAPEVENT_E] = {"scapevent",
1090 EC_INTERNAL | EC_METAEVENT,
1091 EF_SKIPPARSERESET,
1092 2,
1093 {{"event_type", PT_UINT32, PF_DEC},
1094 {"event_data", PT_UINT64, PF_DEC}}},
1095 [PPME_SCAPEVENT_X] = {"scapevent", EC_INTERNAL | EC_METAEVENT, EF_UNUSED, 0},
1096 [PPME_SYSCALL_SETUID_E] =
1097 {"setuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"uid", PT_UID, PF_DEC}}},
1098 [PPME_SYSCALL_SETUID_X] =
1099 {"setuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1100 [PPME_SYSCALL_SETGID_E] =
1101 {"setgid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"gid", PT_GID, PF_DEC}}},
1102 [PPME_SYSCALL_SETGID_X] =
1103 {"setgid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1104 [PPME_SYSCALL_GETUID_E] = {"getuid", EC_USER | EC_SYSCALL, EF_NONE, 0},
1105 [PPME_SYSCALL_GETUID_X] =
1106 {"getuid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"uid", PT_UID, PF_DEC}}},
1107 [PPME_SYSCALL_GETEUID_E] = {"geteuid", EC_USER | EC_SYSCALL, EF_NONE, 0},
1108 [PPME_SYSCALL_GETEUID_X] =
1109 {"geteuid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"euid", PT_UID, PF_DEC}}},
1110 [PPME_SYSCALL_GETGID_E] = {"getgid", EC_USER | EC_SYSCALL, EF_NONE, 0},
1111 [PPME_SYSCALL_GETGID_X] =
1112 {"getgid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"gid", PT_GID, PF_DEC}}},
1113 [PPME_SYSCALL_GETEGID_E] = {"getegid", EC_USER | EC_SYSCALL, EF_NONE, 0},
1114 [PPME_SYSCALL_GETEGID_X] =
1115 {"getegid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"egid", PT_GID, PF_DEC}}},
1116 [PPME_SYSCALL_GETRESUID_E] = {"getresuid", EC_USER | EC_SYSCALL, EF_NONE, 0},
1117 [PPME_SYSCALL_GETRESUID_X] = {"getresuid",
1118 EC_USER | EC_SYSCALL,
1119 EF_NONE,
1120 4,
1121 {{"res", PT_ERRNO, PF_DEC},
1122 {"ruid", PT_UID, PF_DEC},
1123 {"euid", PT_UID, PF_DEC},
1124 {"suid", PT_UID, PF_DEC}}},
1125 [PPME_SYSCALL_GETRESGID_E] = {"getresgid", EC_USER | EC_SYSCALL, EF_NONE, 0},
1126 [PPME_SYSCALL_GETRESGID_X] = {"getresgid",
1127 EC_USER | EC_SYSCALL,
1128 EF_NONE,
1129 4,
1130 {{"res", PT_ERRNO, PF_DEC},
1131 {"rgid", PT_GID, PF_DEC},
1132 {"egid", PT_GID, PF_DEC},
1133 {"sgid", PT_GID, PF_DEC}}},
1134 [PPME_SYSCALL_EXECVE_15_E] = {"execve",
1135 EC_PROCESS | EC_SYSCALL,
1136 EF_MODIFIES_STATE | EF_OLD_VERSION,
1137 0},
1138 [PPME_SYSCALL_EXECVE_15_X] = {"execve",
1139 EC_PROCESS | EC_SYSCALL,
1140 EF_MODIFIES_STATE | EF_OLD_VERSION,
1141 15,
1142 {{"res", PT_ERRNO, PF_DEC},
1143 {"exe", PT_CHARBUF, PF_NA},
1144 {"args", PT_BYTEBUF, PF_NA},
1145 {"tid", PT_PID, PF_DEC},
1146 {"pid", PT_PID, PF_DEC},
1147 {"ptid", PT_PID, PF_DEC},
1148 {"cwd", PT_CHARBUF, PF_NA},
1149 {"fdlimit", PT_UINT64, PF_DEC},
1150 {"pgft_maj", PT_UINT64, PF_DEC},
1151 {"pgft_min", PT_UINT64, PF_DEC},
1152 {"vm_size", PT_UINT32, PF_DEC},
1153 {"vm_rss", PT_UINT32, PF_DEC},
1154 {"vm_swap", PT_UINT32, PF_DEC},
1155 {"comm", PT_CHARBUF, PF_NA},
1156 {"env", PT_BYTEBUF, PF_NA}}},
1157 [PPME_SYSCALL_CLONE_17_E] = {"clone",
1158 EC_PROCESS | EC_SYSCALL,
1159 EF_MODIFIES_STATE | EF_OLD_VERSION,
1160 0},
1161 [PPME_SYSCALL_CLONE_17_X] = {"clone",
1162 EC_PROCESS | EC_SYSCALL,
1163 EF_MODIFIES_STATE | EF_OLD_VERSION,
1164 17,
1165 {{"res", PT_PID, PF_DEC},
1166 {"exe", PT_CHARBUF, PF_NA},
1167 {"args", PT_BYTEBUF, PF_NA},
1168 {"tid", PT_PID, PF_DEC},
1169 {"pid", PT_PID, PF_DEC},
1170 {"ptid", PT_PID, PF_DEC},
1171 {"cwd", PT_CHARBUF, PF_NA},
1172 {"fdlimit", PT_INT64, PF_DEC},
1173 {"pgft_maj", PT_UINT64, PF_DEC},
1174 {"pgft_min", PT_UINT64, PF_DEC},
1175 {"vm_size", PT_UINT32, PF_DEC},
1176 {"vm_rss", PT_UINT32, PF_DEC},
1177 {"vm_swap", PT_UINT32, PF_DEC},
1178 {"comm", PT_CHARBUF, PF_NA},
1179 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1180 {"uid", PT_UINT32, PF_DEC},
1181 {"gid", PT_UINT32, PF_DEC}}},
1182 [PPME_SYSCALL_FORK_17_E] = {"fork",
1183 EC_PROCESS | EC_SYSCALL,
1184 EF_MODIFIES_STATE | EF_OLD_VERSION,
1185 0},
1186 [PPME_SYSCALL_FORK_17_X] = {"fork",
1187 EC_PROCESS | EC_SYSCALL,
1188 EF_MODIFIES_STATE | EF_OLD_VERSION,
1189 17,
1190 {{"res", PT_PID, PF_DEC},
1191 {"exe", PT_CHARBUF, PF_NA},
1192 {"args", PT_BYTEBUF, PF_NA},
1193 {"tid", PT_PID, PF_DEC},
1194 {"pid", PT_PID, PF_DEC},
1195 {"ptid", PT_PID, PF_DEC},
1196 {"cwd", PT_CHARBUF, PF_NA},
1197 {"fdlimit", PT_INT64, PF_DEC},
1198 {"pgft_maj", PT_UINT64, PF_DEC},
1199 {"pgft_min", PT_UINT64, PF_DEC},
1200 {"vm_size", PT_UINT32, PF_DEC},
1201 {"vm_rss", PT_UINT32, PF_DEC},
1202 {"vm_swap", PT_UINT32, PF_DEC},
1203 {"comm", PT_CHARBUF, PF_NA},
1204 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1205 {"uid", PT_UINT32, PF_DEC},
1206 {"gid", PT_UINT32, PF_DEC}}},
1207 [PPME_SYSCALL_VFORK_17_E] = {"vfork",
1208 EC_PROCESS | EC_SYSCALL,
1209 EF_MODIFIES_STATE | EF_OLD_VERSION,
1210 0},
1211 [PPME_SYSCALL_VFORK_17_X] = {"vfork",
1212 EC_PROCESS | EC_SYSCALL,
1213 EF_MODIFIES_STATE | EF_OLD_VERSION,
1214 17,
1215 {{"res", PT_PID, PF_DEC},
1216 {"exe", PT_CHARBUF, PF_NA},
1217 {"args", PT_BYTEBUF, PF_NA},
1218 {"tid", PT_PID, PF_DEC},
1219 {"pid", PT_PID, PF_DEC},
1220 {"ptid", PT_PID, PF_DEC},
1221 {"cwd", PT_CHARBUF, PF_NA},
1222 {"fdlimit", PT_INT64, PF_DEC},
1223 {"pgft_maj", PT_UINT64, PF_DEC},
1224 {"pgft_min", PT_UINT64, PF_DEC},
1225 {"vm_size", PT_UINT32, PF_DEC},
1226 {"vm_rss", PT_UINT32, PF_DEC},
1227 {"vm_swap", PT_UINT32, PF_DEC},
1228 {"comm", PT_CHARBUF, PF_NA},
1229 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1230 {"uid", PT_UINT32, PF_DEC},
1231 {"gid", PT_UINT32, PF_DEC}}},
1232 [PPME_SYSCALL_CLONE_20_E] = {"clone", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
1233 [PPME_SYSCALL_CLONE_20_X] = {"clone",
1234 EC_PROCESS | EC_SYSCALL,
1235 EF_MODIFIES_STATE,
1236 21,
1237 {{"res", PT_PID, PF_DEC},
1238 {"exe", PT_CHARBUF, PF_NA},
1239 {"args", PT_BYTEBUF, PF_NA},
1240 {"tid", PT_PID, PF_DEC},
1241 {"pid", PT_PID, PF_DEC},
1242 {"ptid", PT_PID, PF_DEC},
1243 {"cwd", PT_CHARBUF, PF_NA},
1244 {"fdlimit", PT_INT64, PF_DEC},
1245 {"pgft_maj", PT_UINT64, PF_DEC},
1246 {"pgft_min", PT_UINT64, PF_DEC},
1247 {"vm_size", PT_UINT32, PF_DEC},
1248 {"vm_rss", PT_UINT32, PF_DEC},
1249 {"vm_swap", PT_UINT32, PF_DEC},
1250 {"comm", PT_CHARBUF, PF_NA},
1251 {"cgroups", PT_BYTEBUF, PF_NA},
1252 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1253 {"uid", PT_UINT32, PF_DEC},
1254 {"gid", PT_UINT32, PF_DEC},
1255 {"vtid", PT_PID, PF_DEC},
1256 {"vpid", PT_PID, PF_DEC},
1257 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1258 [PPME_SYSCALL_FORK_20_E] = {"fork", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
1259 [PPME_SYSCALL_FORK_20_X] = {"fork",
1260 EC_PROCESS | EC_SYSCALL,
1261 EF_MODIFIES_STATE,
1262 21,
1263 {{"res", PT_PID, PF_DEC},
1264 {"exe", PT_CHARBUF, PF_NA},
1265 {"args", PT_BYTEBUF, PF_NA},
1266 {"tid", PT_PID, PF_DEC},
1267 {"pid", PT_PID, PF_DEC},
1268 {"ptid", PT_PID, PF_DEC},
1269 {"cwd", PT_CHARBUF, PF_NA},
1270 {"fdlimit", PT_INT64, PF_DEC},
1271 {"pgft_maj", PT_UINT64, PF_DEC},
1272 {"pgft_min", PT_UINT64, PF_DEC},
1273 {"vm_size", PT_UINT32, PF_DEC},
1274 {"vm_rss", PT_UINT32, PF_DEC},
1275 {"vm_swap", PT_UINT32, PF_DEC},
1276 {"comm", PT_CHARBUF, PF_NA},
1277 {"cgroups", PT_BYTEBUF, PF_NA},
1278 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1279 {"uid", PT_UINT32, PF_DEC},
1280 {"gid", PT_UINT32, PF_DEC},
1281 {"vtid", PT_PID, PF_DEC},
1282 {"vpid", PT_PID, PF_DEC},
1283 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1284 [PPME_SYSCALL_VFORK_20_E] = {"vfork", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
1285 [PPME_SYSCALL_VFORK_20_X] = {"vfork",
1286 EC_PROCESS | EC_SYSCALL,
1287 EF_MODIFIES_STATE,
1288 21,
1289 {{"res", PT_PID, PF_DEC},
1290 {"exe", PT_CHARBUF, PF_NA},
1291 {"args", PT_BYTEBUF, PF_NA},
1292 {"tid", PT_PID, PF_DEC},
1293 {"pid", PT_PID, PF_DEC},
1294 {"ptid", PT_PID, PF_DEC},
1295 {"cwd", PT_CHARBUF, PF_NA},
1296 {"fdlimit", PT_INT64, PF_DEC},
1297 {"pgft_maj", PT_UINT64, PF_DEC},
1298 {"pgft_min", PT_UINT64, PF_DEC},
1299 {"vm_size", PT_UINT32, PF_DEC},
1300 {"vm_rss", PT_UINT32, PF_DEC},
1301 {"vm_swap", PT_UINT32, PF_DEC},
1302 {"comm", PT_CHARBUF, PF_NA},
1303 {"cgroups", PT_BYTEBUF, PF_NA},
1304 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1305 {"uid", PT_UINT32, PF_DEC},
1306 {"gid", PT_UINT32, PF_DEC},
1307 {"vtid", PT_PID, PF_DEC},
1308 {"vpid", PT_PID, PF_DEC},
1309 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1310 [PPME_CONTAINER_E] = {"container",
1311 EC_INTERNAL | EC_METAEVENT,
1312 EF_SKIPPARSERESET | EF_MODIFIES_STATE | EF_OLD_VERSION,
1313 4,
1314 {{"id", PT_CHARBUF, PF_NA},
1315 {"type", PT_UINT32, PF_DEC},
1316 {"name", PT_CHARBUF, PF_NA},
1317 {"image", PT_CHARBUF, PF_NA}}},
1318 [PPME_CONTAINER_X] = {"NA", EC_UNKNOWN, EF_UNUSED | EF_OLD_VERSION, 0},
1319 [PPME_SYSCALL_EXECVE_16_E] = {"execve",
1320 EC_PROCESS | EC_SYSCALL,
1321 EF_MODIFIES_STATE | EF_OLD_VERSION,
1322 0},
1323 [PPME_SYSCALL_EXECVE_16_X] = {"execve",
1324 EC_PROCESS | EC_SYSCALL,
1325 EF_MODIFIES_STATE | EF_OLD_VERSION,
1326 16,
1327 {{"res", PT_ERRNO, PF_DEC},
1328 {"exe", PT_CHARBUF, PF_NA},
1329 {"args", PT_BYTEBUF, PF_NA},
1330 {"tid", PT_PID, PF_DEC},
1331 {"pid", PT_PID, PF_DEC},
1332 {"ptid", PT_PID, PF_DEC},
1333 {"cwd", PT_CHARBUF, PF_NA},
1334 {"fdlimit", PT_UINT64, PF_DEC},
1335 {"pgft_maj", PT_UINT64, PF_DEC},
1336 {"pgft_min", PT_UINT64, PF_DEC},
1337 {"vm_size", PT_UINT32, PF_DEC},
1338 {"vm_rss", PT_UINT32, PF_DEC},
1339 {"vm_swap", PT_UINT32, PF_DEC},
1340 {"comm", PT_CHARBUF, PF_NA},
1341 {"cgroups", PT_BYTEBUF, PF_NA},
1342 {"env", PT_BYTEBUF, PF_NA}}},
1343 [PPME_SIGNALDELIVER_E] = {"signaldeliver",
1344 EC_SIGNAL | EC_TRACEPOINT,
1345 EF_NONE,
1346 3,
1347 {{"spid", PT_PID, PF_DEC},
1348 {"dpid", PT_PID, PF_DEC},
1349 {"sig", PT_SIGTYPE, PF_DEC}}},
1350 [PPME_SIGNALDELIVER_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1351 [PPME_PROCINFO_E] = {"procinfo",
1352 EC_INTERNAL | EC_METAEVENT,
1353 EF_SKIPPARSERESET,
1354 2,
1355 {{"cpu_usr", PT_UINT64, PF_DEC}, {"cpu_sys", PT_UINT64, PF_DEC}}},
1356 [PPME_PROCINFO_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1357 [PPME_SYSCALL_GETDENTS_E] =
1358 {"getdents", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"fd", PT_FD, PF_NA}}},
1359 [PPME_SYSCALL_GETDENTS_X] =
1360 {"getdents", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
1361 [PPME_SYSCALL_GETDENTS64_E] =
1362 {"getdents64", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"fd", PT_FD, PF_NA}}},
1363 [PPME_SYSCALL_GETDENTS64_X] =
1364 {"getdents64", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
1365 [PPME_SYSCALL_SETNS_E] = {"setns",
1366 EC_PROCESS | EC_SYSCALL,
1367 EF_USES_FD,
1368 2,
1369 {{"fd", PT_FD, PF_NA},
1370 {"nstype", PT_FLAGS32, PF_HEX, clone_flags}}},
1371 [PPME_SYSCALL_SETNS_X] =
1372 {"setns", EC_PROCESS | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
1373 [PPME_SYSCALL_FLOCK_E] = {"flock",
1374 EC_FILE | EC_SYSCALL,
1375 EF_USES_FD,
1376 2,
1377 {{"fd", PT_FD, PF_NA},
1378 {"operation", PT_FLAGS32, PF_HEX, flock_flags}}},
1379 [PPME_SYSCALL_FLOCK_X] =
1380 {"flock", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
1381 [PPME_CPU_HOTPLUG_E] = {"cpu_hotplug",
1382 EC_SYSTEM | EC_METAEVENT,
1383 EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1384 2,
1385 {{"cpu", PT_UINT32, PF_DEC}, {"action", PT_UINT32, PF_DEC}}},
1386 [PPME_CPU_HOTPLUG_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1387 [PPME_SOCKET_ACCEPT_5_E] = {"accept",
1388 EC_NET | EC_SYSCALL,
1389 EF_CREATES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
1390 0},
1391 [PPME_SOCKET_ACCEPT_5_X] = {"accept",
1392 EC_NET | EC_SYSCALL,
1393 EF_CREATES_FD | EF_MODIFIES_STATE,
1394 5,
1395 {{"fd", PT_FD, PF_DEC},
1396 {"tuple", PT_SOCKTUPLE, PF_NA},
1397 {"queuepct", PT_UINT8, PF_DEC},
1398 {"queuelen", PT_UINT32, PF_DEC},
1399 {"queuemax", PT_UINT32, PF_DEC}}},
1400 [PPME_SOCKET_ACCEPT4_5_E] = {"accept",
1401 EC_NET | EC_SYSCALL,
1402 EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
1403 1,
1404 {{"flags", PT_INT32, PF_HEX}}},
1405 [PPME_SOCKET_ACCEPT4_5_X] = {"accept",
1406 EC_NET | EC_SYSCALL,
1407 EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
1408 5,
1409 {{"fd", PT_FD, PF_DEC},
1410 {"tuple", PT_SOCKTUPLE, PF_NA},
1411 {"queuepct", PT_UINT8, PF_DEC},
1412 {"queuelen", PT_UINT32, PF_DEC},
1413 {"queuemax", PT_UINT32, PF_DEC}}},
1414 [PPME_SYSCALL_SEMOP_E] =
1415 {"semop", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"semid", PT_INT32, PF_DEC}}},
1416 [PPME_SYSCALL_SEMOP_X] = {"semop",
1417 EC_PROCESS | EC_SYSCALL,
1418 EF_NONE,
1419 8,
1420 {{"res", PT_ERRNO, PF_DEC},
1421 {"nsops", PT_UINT32, PF_DEC},
1422 {"sem_num_0", PT_UINT16, PF_DEC},
1423 {"sem_op_0", PT_INT16, PF_DEC},
1424 {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags},
1425 {"sem_num_1", PT_UINT16, PF_DEC},
1426 {"sem_op_1", PT_INT16, PF_DEC},
1427 {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags}}},
1428 [PPME_SYSCALL_SEMCTL_E] = {"semctl",
1429 EC_PROCESS | EC_SYSCALL,
1430 EF_NONE,
1431 4,
1432 {{"semid", PT_INT32, PF_DEC},
1433 {"semnum", PT_INT32, PF_DEC},
1434 {"cmd", PT_FLAGS16, PF_HEX, semctl_commands},
1435 {"val", PT_INT32, PF_DEC}}},
1436 [PPME_SYSCALL_SEMCTL_X] =
1437 {"semctl", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1438 [PPME_SYSCALL_PPOLL_E] = {"ppoll",
1439 EC_WAIT | EC_SYSCALL,
1440 EF_WAITS,
1441 3,
1442 {{"fds", PT_FDLIST, PF_DEC},
1443 {"timeout", PT_RELTIME, PF_DEC},
1444 {"sigmask", PT_SIGSET, PF_DEC}}},
1445 [PPME_SYSCALL_PPOLL_X] = {"ppoll",
1446 EC_WAIT | EC_SYSCALL,
1447 EF_WAITS,
1448 2,
1449 {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC}}},
1450 [PPME_SYSCALL_MOUNT_E] = {"mount",
1451 EC_FILE | EC_SYSCALL,
1452 EF_MODIFIES_STATE,
1453 1,
1454 {{"flags", PT_FLAGS32, PF_HEX, mount_flags}}},
1455 [PPME_SYSCALL_MOUNT_X] = {"mount",
1456 EC_FILE | EC_SYSCALL,
1457 EF_MODIFIES_STATE,
1458 4,
1459 {{"res", PT_ERRNO, PF_DEC},
1460 {"dev", PT_CHARBUF, PF_NA},
1461 {"dir", PT_FSPATH, PF_NA},
1462 {"type", PT_CHARBUF, PF_NA}}},
1463 [PPME_SYSCALL_UMOUNT_E] = {"umount",
1464 EC_FILE | EC_SYSCALL,
1465 EF_MODIFIES_STATE | EF_OLD_VERSION,
1466 1,
1467 {{"flags", PT_FLAGS32, PF_HEX, umount_flags}}},
1468 [PPME_SYSCALL_UMOUNT_X] = {"umount",
1469 EC_FILE | EC_SYSCALL,
1470 EF_MODIFIES_STATE | EF_OLD_VERSION,
1471 2,
1472 {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA}}},
1473 [PPME_K8S_E] = {"k8s",
1474 EC_INTERNAL | EC_METAEVENT,
1475 EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1476 1,
1477 {{"json", PT_CHARBUF, PF_NA}}},
1478 [PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1479 [PPME_SYSCALL_SEMGET_E] = {"semget",
1480 EC_PROCESS | EC_SYSCALL,
1481 EF_NONE,
1482 3,
1483 {{"key", PT_INT32, PF_HEX},
1484 {"nsems", PT_INT32, PF_DEC},
1485 {"semflg", PT_FLAGS32, PF_HEX, semget_flags}}},
1486 [PPME_SYSCALL_SEMGET_X] =
1487 {"semget", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1488 [PPME_SYSCALL_ACCESS_E] = {"access",
1489 EC_FILE | EC_SYSCALL,
1490 EF_NONE,
1491 1,
1492 {{"mode", PT_FLAGS32, PF_HEX, access_flags}}},
1493 [PPME_SYSCALL_ACCESS_X] = {"access",
1494 EC_FILE | EC_SYSCALL,
1495 EF_NONE,
1496 2,
1497 {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA}}},
1498 [PPME_SYSCALL_CHROOT_E] = {"chroot", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
1499 [PPME_SYSCALL_CHROOT_X] = {"chroot",
1500 EC_PROCESS | EC_SYSCALL,
1501 EF_MODIFIES_STATE,
1502 2,
1503 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
1504 [PPME_TRACER_E] = {"tracer",
1505 EC_OTHER | EC_METAEVENT,
1506 EF_NONE,
1507 3,
1508 {{"id", PT_INT64, PF_DEC},
1509 {"tags", PT_CHARBUFARRAY, PF_NA},
1510 {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA}}},
1511 [PPME_TRACER_X] = {"tracer",
1512 EC_OTHER | EC_METAEVENT,
1513 EF_NONE,
1514 3,
1515 {{"id", PT_INT64, PF_DEC},
1516 {"tags", PT_CHARBUFARRAY, PF_NA},
1517 {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA}}},
1518 [PPME_MESOS_E] = {"mesos",
1519 EC_INTERNAL | EC_METAEVENT,
1520 EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1521 1,
1522 {{"json", PT_CHARBUF, PF_NA}}},
1523 [PPME_MESOS_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1524 [PPME_CONTAINER_JSON_E] =
1525 {"container",
1526 EC_PROCESS | EC_METAEVENT,
1527 EF_MODIFIES_STATE | EF_OLD_VERSION,
1528 1,
1529 {{"json", PT_CHARBUF, PF_NA}}},
1530 [PPME_CONTAINER_JSON_X] = {"NA", EC_UNKNOWN, EF_UNUSED | EF_OLD_VERSION, 0},
1531 [PPME_SYSCALL_SETSID_E] = {"setsid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
1532 [PPME_SYSCALL_SETSID_X] = {"setsid",
1533 EC_PROCESS | EC_SYSCALL,
1534 EF_MODIFIES_STATE,
1535 1,
1536 {{"res", PT_PID, PF_DEC}}},
1537 [PPME_SYSCALL_MKDIR_2_E] =
1538 {"mkdir", EC_FILE | EC_SYSCALL, EF_NONE, 1, {{"mode", PT_UINT32, PF_HEX}}},
1539 [PPME_SYSCALL_MKDIR_2_X] = {"mkdir",
1540 EC_FILE | EC_SYSCALL,
1541 EF_NONE,
1542 2,
1543 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
1544 [PPME_SYSCALL_RMDIR_2_E] = {"rmdir", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1545 [PPME_SYSCALL_RMDIR_2_X] = {"rmdir",
1546 EC_FILE | EC_SYSCALL,
1547 EF_NONE,
1548 2,
1549 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
1550 [PPME_NOTIFICATION_E] = {"notification",
1551 EC_OTHER | EC_METAEVENT,
1552 EF_SKIPPARSERESET,
1553 2,
1554 {
1555 {"id", PT_CHARBUF, PF_DEC},
1556 {"desc", PT_CHARBUF, PF_NA},
1557 }},
1558 [PPME_NOTIFICATION_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1559 [PPME_SYSCALL_EXECVE_17_E] = {"execve",
1560 EC_PROCESS | EC_SYSCALL,
1561 EF_MODIFIES_STATE | EF_OLD_VERSION,
1562 0},
1563 [PPME_SYSCALL_EXECVE_17_X] = {"execve",
1564 EC_PROCESS | EC_SYSCALL,
1565 EF_MODIFIES_STATE | EF_OLD_VERSION,
1566 17,
1567 {{"res", PT_ERRNO, PF_DEC},
1568 {"exe", PT_CHARBUF, PF_NA},
1569 {"args", PT_BYTEBUF, PF_NA},
1570 {"tid", PT_PID, PF_DEC},
1571 {"pid", PT_PID, PF_DEC},
1572 {"ptid", PT_PID, PF_DEC},
1573 {"cwd", PT_CHARBUF, PF_NA},
1574 {"fdlimit", PT_UINT64, PF_DEC},
1575 {"pgft_maj", PT_UINT64, PF_DEC},
1576 {"pgft_min", PT_UINT64, PF_DEC},
1577 {"vm_size", PT_UINT32, PF_DEC},
1578 {"vm_rss", PT_UINT32, PF_DEC},
1579 {"vm_swap", PT_UINT32, PF_DEC},
1580 {"comm", PT_CHARBUF, PF_NA},
1581 {"cgroups", PT_BYTEBUF, PF_NA},
1582 {"env", PT_BYTEBUF, PF_NA},
1583 {"tty", PT_INT32, PF_DEC}}},
1584 [PPME_SYSCALL_UNSHARE_E] = {"unshare",
1585 EC_PROCESS | EC_SYSCALL,
1586 EF_NONE,
1587 1,
1588 {{"flags", PT_FLAGS32, PF_HEX, clone_flags}}},
1589 [PPME_SYSCALL_UNSHARE_X] =
1590 {"unshare", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1591 [PPME_INFRASTRUCTURE_EVENT_E] = {"infra",
1592 EC_INTERNAL | EC_METAEVENT,
1593 EF_SKIPPARSERESET,
1594 4,
1595 {{"source", PT_CHARBUF, PF_DEC},
1596 {"name", PT_CHARBUF, PF_NA},
1597 {"description", PT_CHARBUF, PF_NA},
1598 {"scope", PT_CHARBUF, PF_NA}}},
1599 [PPME_INFRASTRUCTURE_EVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1600 [PPME_SYSCALL_EXECVE_18_E] = {"execve",
1601 EC_PROCESS | EC_SYSCALL,
1602 EF_MODIFIES_STATE | EF_OLD_VERSION,
1603 1,
1604 {{"filename", PT_FSPATH, PF_NA}}},
1605 [PPME_SYSCALL_EXECVE_18_X] = {"execve",
1606 EC_PROCESS | EC_SYSCALL,
1607 EF_MODIFIES_STATE | EF_OLD_VERSION,
1608 17,
1609 {{"res", PT_ERRNO, PF_DEC},
1610 {"exe", PT_CHARBUF, PF_NA},
1611 {"args", PT_BYTEBUF, PF_NA},
1612 {"tid", PT_PID, PF_DEC},
1613 {"pid", PT_PID, PF_DEC},
1614 {"ptid", PT_PID, PF_DEC},
1615 {"cwd", PT_CHARBUF, PF_NA},
1616 {"fdlimit", PT_UINT64, PF_DEC},
1617 {"pgft_maj", PT_UINT64, PF_DEC},
1618 {"pgft_min", PT_UINT64, PF_DEC},
1619 {"vm_size", PT_UINT32, PF_DEC},
1620 {"vm_rss", PT_UINT32, PF_DEC},
1621 {"vm_swap", PT_UINT32, PF_DEC},
1622 {"comm", PT_CHARBUF, PF_NA},
1623 {"cgroups", PT_BYTEBUF, PF_NA},
1624 {"env", PT_BYTEBUF, PF_NA},
1625 {"tty", PT_INT32, PF_DEC}}},
1626 [PPME_PAGE_FAULT_E] = {"page_fault",
1627 EC_OTHER | EC_TRACEPOINT,
1628 EF_SKIPPARSERESET,
1629 3,
1630 {{"addr", PT_UINT64, PF_HEX},
1631 {"ip", PT_UINT64, PF_HEX},
1632 {"error", PT_FLAGS32, PF_HEX, pf_flags}}},
1633 [PPME_PAGE_FAULT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1634 [PPME_SYSCALL_EXECVE_19_E] = {"execve",
1635 EC_PROCESS | EC_SYSCALL,
1636 EF_MODIFIES_STATE,
1637 1,
1638 {{"filename", PT_FSPATH, PF_NA}}},
1639 [PPME_SYSCALL_EXECVE_19_X] = {"execve",
1640 EC_PROCESS | EC_SYSCALL,
1641 EF_MODIFIES_STATE,
1642 30,
1643 {{"res", PT_ERRNO, PF_DEC},
1644 {"exe", PT_CHARBUF, PF_NA},
1645 {"args", PT_BYTEBUF, PF_NA},
1646 {"tid", PT_PID, PF_DEC},
1647 {"pid", PT_PID, PF_DEC},
1648 {"ptid", PT_PID, PF_DEC},
1649 {"cwd", PT_CHARBUF, PF_NA},
1650 {"fdlimit", PT_UINT64, PF_DEC},
1651 {"pgft_maj", PT_UINT64, PF_DEC},
1652 {"pgft_min", PT_UINT64, PF_DEC},
1653 {"vm_size", PT_UINT32, PF_DEC},
1654 {"vm_rss", PT_UINT32, PF_DEC},
1655 {"vm_swap", PT_UINT32, PF_DEC},
1656 {"comm", PT_CHARBUF, PF_NA},
1657 {"cgroups", PT_BYTEBUF, PF_NA},
1658 {"env", PT_BYTEBUF, PF_NA},
1659 {"tty", PT_UINT32, PF_DEC},
1660 {"vpgid", PT_PID, PF_DEC},
1661 {"loginuid", PT_UID, PF_DEC},
1662 {"flags", PT_FLAGS32, PF_HEX, execve_flags},
1663 {"cap_inheritable", PT_UINT64, PF_HEX},
1664 {"cap_permitted", PT_UINT64, PF_HEX},
1665 {"cap_effective", PT_UINT64, PF_HEX},
1666 {"exe_ino", PT_UINT64, PF_DEC},
1667 {"exe_ino_ctime", PT_ABSTIME, PF_DEC},
1668 {"exe_ino_mtime", PT_ABSTIME, PF_DEC},
1669 {"uid", PT_UID, PF_DEC},
1670 {"trusted_exepath", PT_FSPATH, PF_NA},
1671 {"pgid", PT_PID, PF_NA},
1672 {"gid", PT_GID, PF_DEC}}},
1673 [PPME_SYSCALL_SETPGID_E] = {"setpgid",
1674 EC_PROCESS | EC_SYSCALL,
1675 EF_MODIFIES_STATE,
1676 2,
1677 {{"pid", PT_PID, PF_DEC}, {"pgid", PT_PID, PF_DEC}}},
1678 [PPME_SYSCALL_SETPGID_X] = {"setpgid",
1679 EC_PROCESS | EC_SYSCALL,
1680 EF_MODIFIES_STATE,
1681 1,
1682 {{"res", PT_PID, PF_DEC}}},
1683 [PPME_SYSCALL_BPF_E] = {"bpf",
1684 EC_OTHER | EC_SYSCALL,
1685 EF_CREATES_FD | EF_OLD_VERSION,
1686 1,
1687 {{"cmd", PT_INT64, PF_DEC}}},
1688 [PPME_SYSCALL_BPF_X] =
1689 {"bpf",
1690 EC_OTHER | EC_SYSCALL,
1691 EF_CREATES_FD | EF_OLD_VERSION,
1692 1,
1693 {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX}}},
1694 [PPME_SYSCALL_SECCOMP_E] = {"seccomp",
1695 EC_OTHER | EC_SYSCALL,
1696 EF_NONE,
1697 2,
1698 {{"op", PT_UINT64, PF_DEC}, {"flags", PT_UINT64, PF_HEX}}},
1699 [PPME_SYSCALL_SECCOMP_X] =
1700 {"seccomp", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1701 [PPME_SYSCALL_UNLINK_2_E] = {"unlink", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1702 [PPME_SYSCALL_UNLINK_2_X] = {"unlink",
1703 EC_FILE | EC_SYSCALL,
1704 EF_NONE,
1705 2,
1706 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
1707 [PPME_SYSCALL_UNLINKAT_2_E] = {"unlinkat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1708 [PPME_SYSCALL_UNLINKAT_2_X] = {"unlinkat",
1709 EC_FILE | EC_SYSCALL,
1710 EF_NONE,
1711 4,
1712 {{"res", PT_ERRNO, PF_DEC},
1713 {"dirfd", PT_FD, PF_DEC},
1714 {"name", PT_FSRELPATH, PF_NA, 1},
1715 {"flags", PT_FLAGS32, PF_HEX, unlinkat_flags}}},
1716 [PPME_SYSCALL_MKDIRAT_E] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1717 [PPME_SYSCALL_MKDIRAT_X] = {"mkdirat",
1718 EC_FILE | EC_SYSCALL,
1719 EF_NONE,
1720 4,
1721 {{"res", PT_ERRNO, PF_DEC},
1722 {"dirfd", PT_FD, PF_DEC},
1723 {"path", PT_FSRELPATH, PF_NA, 1},
1724 {"mode", PT_UINT32, PF_HEX}}},
1725 [PPME_SYSCALL_OPENAT_2_E] = {"openat",
1726 EC_FILE | EC_SYSCALL,
1727 EF_CREATES_FD | EF_MODIFIES_STATE,
1728 4,
1729 {{"dirfd", PT_FD, PF_DEC},
1730 {"name", PT_FSRELPATH, PF_NA, 0},
1731 {"flags", PT_FLAGS32, PF_HEX, file_flags},
1732 {"mode", PT_UINT32, PF_OCT}}},
1733 [PPME_SYSCALL_OPENAT_2_X] = {"openat",
1734 EC_FILE | EC_SYSCALL,
1735 EF_CREATES_FD | EF_MODIFIES_STATE,
1736 7,
1737 {{"fd", PT_FD, PF_DEC},
1738 {"dirfd", PT_FD, PF_DEC},
1739 {"name", PT_FSRELPATH, PF_NA, 1},
1740 {"flags", PT_FLAGS32, PF_HEX, file_flags},
1741 {"mode", PT_UINT32, PF_OCT},
1742 {"dev", PT_UINT32, PF_HEX},
1743 {"ino", PT_UINT64, PF_DEC}}},
1744 [PPME_SYSCALL_LINK_2_E] = {"link", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1745 [PPME_SYSCALL_LINK_2_X] = {"link",
1746 EC_FILE | EC_SYSCALL,
1747 EF_NONE,
1748 3,
1749 {{"res", PT_ERRNO, PF_DEC},
1750 {"oldpath", PT_FSPATH, PF_NA},
1751 {"newpath", PT_FSPATH, PF_NA}}},
1752 [PPME_SYSCALL_LINKAT_2_E] = {"linkat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1753 [PPME_SYSCALL_LINKAT_2_X] = {"linkat",
1754 EC_FILE | EC_SYSCALL,
1755 EF_NONE,
1756 6,
1757 {{"res", PT_ERRNO, PF_DEC},
1758 {"olddir", PT_FD, PF_DEC},
1759 {"oldpath", PT_FSRELPATH, PF_NA, 1},
1760 {"newdir", PT_FD, PF_DEC},
1761 {"newpath", PT_FSRELPATH, PF_NA, 3},
1762 {"flags", PT_FLAGS32, PF_HEX, linkat_flags}}},
1763 [PPME_SYSCALL_FCHMODAT_E] = {"fchmodat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1764 [PPME_SYSCALL_FCHMODAT_X] = {"fchmodat",
1765 EC_FILE | EC_SYSCALL,
1766 EF_NONE,
1767 4,
1768 {{"res", PT_ERRNO, PF_DEC},
1769 {"dirfd", PT_FD, PF_DEC},
1770 {"filename", PT_FSRELPATH, PF_NA, 1},
1771 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
1772 [PPME_SYSCALL_CHMOD_E] = {"chmod", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1773 [PPME_SYSCALL_CHMOD_X] = {"chmod",
1774 EC_FILE | EC_SYSCALL,
1775 EF_NONE,
1776 3,
1777 {{"res", PT_ERRNO, PF_DEC},
1778 {"filename", PT_FSPATH, PF_NA},
1779 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
1780 [PPME_SYSCALL_FCHMOD_E] = {"fchmod", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1781 [PPME_SYSCALL_FCHMOD_X] = {"fchmod",
1782 EC_FILE | EC_SYSCALL,
1783 EF_USES_FD,
1784 3,
1785 {{"res", PT_ERRNO, PF_DEC},
1786 {"fd", PT_FD, PF_DEC},
1787 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
1788 [PPME_SYSCALL_RENAMEAT2_E] = {"renameat2", EC_FILE | EC_SYSCALL, EF_NONE, 0},
1789 [PPME_SYSCALL_RENAMEAT2_X] = {"renameat2",
1790 EC_FILE | EC_SYSCALL,
1791 EF_NONE,
1792 6,
1793 {{"res", PT_ERRNO, PF_DEC},
1794 {"olddirfd", PT_FD, PF_DEC},
1795 {"oldpath", PT_FSRELPATH, PF_NA, 1},
1796 {"newdirfd", PT_FD, PF_DEC},
1797 {"newpath", PT_FSRELPATH, PF_NA, 3},
1798 {"flags", PT_FLAGS32, PF_HEX, renameat2_flags}}},
1799 [PPME_SYSCALL_USERFAULTFD_E] = {"userfaultfd",
1800 EC_FILE | EC_SYSCALL,
1801 EF_CREATES_FD | EF_MODIFIES_STATE,
1802 0},
1803 [PPME_SYSCALL_USERFAULTFD_X] = {"userfaultfd",
1804 EC_FILE | EC_SYSCALL,
1805 EF_CREATES_FD | EF_MODIFIES_STATE,
1806 2,
1807 {{"res", PT_ERRNO, PF_DEC},
1808 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
1809 [PPME_PLUGINEVENT_E] = {"pluginevent",
1810 EC_OTHER | EC_PLUGIN,
1811 EF_LARGE_PAYLOAD,
1812 2,
1813 {{"plugin_id", PT_UINT32, PF_DEC},
1814 {"event_data", PT_BYTEBUF, PF_NA}}},
1815 [PPME_PLUGINEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1816 [PPME_CONTAINER_JSON_2_E] =
1817 {"container",
1818 EC_PROCESS | EC_METAEVENT,
1819 EF_MODIFIES_STATE | EF_LARGE_PAYLOAD,
1820 1,
1821 {{"json", PT_CHARBUF, PF_NA}}},
1822 [PPME_CONTAINER_JSON_2_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1823 [PPME_SYSCALL_OPENAT2_E] = {"openat2",
1824 EC_FILE | EC_SYSCALL,
1825 EF_CREATES_FD | EF_MODIFIES_STATE,
1826 5,
1827 {{"dirfd", PT_FD, PF_DEC},
1828 {"name", PT_FSRELPATH, PF_NA, 0},
1829 {"flags", PT_FLAGS32, PF_HEX, file_flags},
1830 {"mode", PT_UINT32, PF_OCT},
1831 {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}}},
1832 [PPME_SYSCALL_OPENAT2_X] = {"openat2",
1833 EC_FILE | EC_SYSCALL,
1834 EF_CREATES_FD | EF_MODIFIES_STATE,
1835 8,
1836 {{"fd", PT_FD, PF_DEC},
1837 {"dirfd", PT_FD, PF_DEC},
1838 {"name", PT_FSRELPATH, PF_NA, 1},
1839 {"flags", PT_FLAGS32, PF_HEX, file_flags},
1840 {"mode", PT_UINT32, PF_OCT},
1841 {"resolve", PT_FLAGS32, PF_HEX, openat2_flags},
1842 {"dev", PT_UINT32, PF_HEX},
1843 {"ino", PT_UINT64, PF_DEC}}},
1844 [PPME_SYSCALL_MPROTECT_E] = {"mprotect",
1845 EC_MEMORY | EC_SYSCALL,
1846 EF_NONE,
1847 3,
1848 {{"addr", PT_UINT64, PF_HEX},
1849 {"length", PT_UINT64, PF_DEC},
1850 {"prot", PT_FLAGS32, PF_HEX, prot_flags}}},
1851 [PPME_SYSCALL_MPROTECT_X] =
1852 {"mprotect", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1853 [PPME_SYSCALL_EXECVEAT_E] = {"execveat",
1854 EC_PROCESS | EC_SYSCALL,
1855 EF_MODIFIES_STATE,
1856 3,
1857 {{"dirfd", PT_FD, PF_DEC},
1858 {"pathname", PT_FSRELPATH, PF_NA, 0},
1859 {"flags", PT_FLAGS32, PF_HEX, execveat_flags}}},
1860 [PPME_SYSCALL_EXECVEAT_X] = {"execveat",
1861 EC_PROCESS | EC_SYSCALL,
1862 EF_MODIFIES_STATE,
1863 30,
1864 {{"res", PT_ERRNO, PF_DEC},
1865 {"exe", PT_CHARBUF, PF_NA},
1866 {"args", PT_BYTEBUF, PF_NA},
1867 {"tid", PT_PID, PF_DEC},
1868 {"pid", PT_PID, PF_DEC},
1869 {"ptid", PT_PID, PF_DEC},
1870 {"cwd", PT_CHARBUF, PF_NA},
1871 {"fdlimit", PT_UINT64, PF_DEC},
1872 {"pgft_maj", PT_UINT64, PF_DEC},
1873 {"pgft_min", PT_UINT64, PF_DEC},
1874 {"vm_size", PT_UINT32, PF_DEC},
1875 {"vm_rss", PT_UINT32, PF_DEC},
1876 {"vm_swap", PT_UINT32, PF_DEC},
1877 {"comm", PT_CHARBUF, PF_NA},
1878 {"cgroups", PT_BYTEBUF, PF_NA},
1879 {"env", PT_BYTEBUF, PF_NA},
1880 {"tty", PT_UINT32, PF_DEC},
1881 {"vpgid", PT_PID, PF_DEC},
1882 {"loginuid", PT_UID, PF_DEC},
1883 {"flags", PT_FLAGS32, PF_HEX, execve_flags},
1884 {"cap_inheritable", PT_UINT64, PF_HEX},
1885 {"cap_permitted", PT_UINT64, PF_HEX},
1886 {"cap_effective", PT_UINT64, PF_HEX},
1887 {"exe_ino", PT_UINT64, PF_DEC},
1888 {"exe_ino_ctime", PT_ABSTIME, PF_DEC},
1889 {"exe_ino_mtime", PT_ABSTIME, PF_DEC},
1890 {"uid", PT_UID, PF_DEC},
1891 {"trusted_exepath", PT_FSPATH, PF_NA},
1892 {"pgid", PT_PID, PF_NA},
1893 {"gid", PT_GID, PF_DEC}}},
1894 [PPME_SYSCALL_COPY_FILE_RANGE_E] = {"copy_file_range",
1895 EC_FILE | EC_SYSCALL,
1896 EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD,
1897 3,
1898 {{"fdin", PT_FD, PF_DEC},
1899 {"offin", PT_UINT64, PF_DEC},
1900 {"len", PT_UINT64, PF_DEC}}},
1901 [PPME_SYSCALL_COPY_FILE_RANGE_X] = {"copy_file_range",
1902 EC_FILE | EC_SYSCALL,
1903 EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD,
1904 3,
1905 {{"res", PT_ERRNO, PF_DEC},
1906 {"fdout", PT_FD, PF_DEC},
1907 {"offout", PT_UINT64, PF_DEC}}},
1908 [PPME_SYSCALL_CLONE3_E] = {"clone3", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
1909 [PPME_SYSCALL_CLONE3_X] = {"clone3",
1910 EC_PROCESS | EC_SYSCALL,
1911 EF_MODIFIES_STATE,
1912 21,
1913 {{"res", PT_PID, PF_DEC},
1914 {"exe", PT_CHARBUF, PF_NA},
1915 {"args", PT_BYTEBUF, PF_NA},
1916 {"tid", PT_PID, PF_DEC},
1917 {"pid", PT_PID, PF_DEC},
1918 {"ptid", PT_PID, PF_DEC},
1919 {"cwd", PT_CHARBUF, PF_NA},
1920 {"fdlimit", PT_INT64, PF_DEC},
1921 {"pgft_maj", PT_UINT64, PF_DEC},
1922 {"pgft_min", PT_UINT64, PF_DEC},
1923 {"vm_size", PT_UINT32, PF_DEC},
1924 {"vm_rss", PT_UINT32, PF_DEC},
1925 {"vm_swap", PT_UINT32, PF_DEC},
1926 {"comm", PT_CHARBUF, PF_NA},
1927 {"cgroups", PT_BYTEBUF, PF_NA},
1928 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1929 {"uid", PT_UINT32, PF_DEC},
1930 {"gid", PT_UINT32, PF_DEC},
1931 {"vtid", PT_PID, PF_DEC},
1932 {"vpid", PT_PID, PF_DEC},
1933 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1934 [PPME_SYSCALL_OPEN_BY_HANDLE_AT_E] = {"open_by_handle_at",
1935 EC_FILE | EC_SYSCALL,
1936 EF_CREATES_FD | EF_MODIFIES_STATE,
1937 0},
1938 [PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at",
1939 EC_FILE | EC_SYSCALL,
1940 EF_CREATES_FD | EF_MODIFIES_STATE,
1941 6,
1942 {{"fd", PT_FD, PF_DEC},
1943 {"mountfd", PT_FD, PF_DEC},
1944 {"flags", PT_FLAGS32, PF_HEX, file_flags},
1945 {"path", PT_FSPATH, PF_NA},
1946 {"dev", PT_UINT32, PF_HEX},
1947 {"ino", PT_UINT64, PF_DEC}}},
1948 [PPME_SYSCALL_IO_URING_SETUP_E] = {"io_uring_setup",
1949 EC_IO_OTHER | EC_SYSCALL,
1950 EF_CREATES_FD | EF_MODIFIES_STATE,
1951 0},
1952 [PPME_SYSCALL_IO_URING_SETUP_X] =
1953 {"io_uring_setup",
1954 EC_IO_OTHER | EC_SYSCALL,
1955 EF_CREATES_FD | EF_MODIFIES_STATE,
1956 8,
1957 {{"res", PT_ERRNO, PF_DEC},
1958 {"entries", PT_UINT32, PF_DEC},
1959 {"sq_entries", PT_UINT32, PF_DEC},
1960 {"cq_entries", PT_UINT32, PF_DEC},
1961 {"flags", PT_FLAGS32, PF_HEX, io_uring_setup_flags},
1962 {"sq_thread_cpu", PT_UINT32, PF_DEC},
1963 {"sq_thread_idle", PT_UINT32, PF_DEC},
1964 {"features", PT_FLAGS32, PF_HEX, io_uring_setup_feats}}},
1965 [PPME_SYSCALL_IO_URING_ENTER_E] = {"io_uring_enter", EC_IO_OTHER | EC_SYSCALL, EF_NONE, 0},
1966 [PPME_SYSCALL_IO_URING_ENTER_X] = {"io_uring_enter",
1967 EC_IO_OTHER | EC_SYSCALL,
1968 EF_USES_FD,
1969 6,
1970 {{"res", PT_ERRNO, PF_DEC},
1971 {"fd", PT_FD, PF_DEC},
1972 {"to_submit", PT_UINT32, PF_DEC},
1973 {"min_complete", PT_UINT32, PF_DEC},
1974 {"flags", PT_FLAGS32, PF_HEX, io_uring_enter_flags},
1975 {"sig", PT_SIGSET, PF_DEC}}},
1976 [PPME_SYSCALL_IO_URING_REGISTER_E] = {"io_uring_register",
1977 EC_IO_OTHER | EC_SYSCALL,
1978 EF_NONE,
1979 0},
1980 [PPME_SYSCALL_IO_URING_REGISTER_X] =
1981 {"io_uring_register",
1982 EC_IO_OTHER | EC_SYSCALL,
1983 EF_USES_FD,
1984 5,
1985 {{"res", PT_ERRNO, PF_DEC},
1986 {"fd", PT_FD, PF_DEC},
1987 {"opcode", PT_ENUMFLAGS16, PF_DEC, io_uring_register_opcodes},
1988 {"arg", PT_UINT64, PF_HEX},
1989 {"nr_args", PT_UINT32, PF_DEC}}},
1990 [PPME_SYSCALL_MLOCK_E] = {"mlock", EC_MEMORY | EC_SYSCALL, EF_NONE, 0},
1991 [PPME_SYSCALL_MLOCK_X] = {"mlock",
1992 EC_MEMORY | EC_SYSCALL,
1993 EF_NONE,
1994 3,
1995 {{"res", PT_ERRNO, PF_DEC},
1996 {"addr", PT_UINT64, PF_HEX},
1997 {"len", PT_UINT64, PF_DEC}}},
1998 [PPME_SYSCALL_MUNLOCK_E] = {"munlock", EC_MEMORY | EC_SYSCALL, EF_NONE, 0},
1999 [PPME_SYSCALL_MUNLOCK_X] = {"munlock",
2000 EC_MEMORY | EC_SYSCALL,
2001 EF_NONE,
2002 3,
2003 {{"res", PT_ERRNO, PF_DEC},
2004 {"addr", PT_UINT64, PF_HEX},
2005 {"len", PT_UINT64, PF_DEC}}},
2006 [PPME_SYSCALL_MLOCKALL_E] = {"mlockall", EC_MEMORY | EC_SYSCALL, EF_NONE, 0},
2007 [PPME_SYSCALL_MLOCKALL_X] = {"mlockall",
2008 EC_MEMORY | EC_SYSCALL,
2009 EF_NONE,
2010 2,
2011 {{"res", PT_ERRNO, PF_DEC},
2012 {"flags", PT_FLAGS32, PF_HEX, mlockall_flags}}},
2013 [PPME_SYSCALL_MUNLOCKALL_E] = {"munlockall", EC_MEMORY | EC_SYSCALL, EF_NONE, 0},
2014 [PPME_SYSCALL_MUNLOCKALL_X] =
2015 {"munlockall", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
2016 [PPME_SYSCALL_CAPSET_E] = {"capset", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
2017 [PPME_SYSCALL_CAPSET_X] = {"capset",
2018 EC_PROCESS | EC_SYSCALL,
2019 EF_MODIFIES_STATE,
2020 4,
2021 {{"res", PT_ERRNO, PF_DEC},
2022 {"cap_inheritable", PT_UINT64, PF_HEX},
2023 {"cap_permitted", PT_UINT64, PF_HEX},
2024 {"cap_effective", PT_UINT64, PF_HEX}}},
2025 [PPME_USER_ADDED_E] = {"useradded",
2026 EC_PROCESS | EC_METAEVENT,
2027 EF_MODIFIES_STATE,
2028 6,
2029 {{"uid", PT_UINT32, PF_DEC},
2030 {"gid", PT_UINT32, PF_DEC},
2031 {"name", PT_CHARBUF, PF_NA},
2032 {"home", PT_CHARBUF, PF_NA},
2033 {"shell", PT_CHARBUF, PF_NA},
2034 {"container_id", PT_CHARBUF, PF_NA}}},
2035 [PPME_USER_ADDED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2036 [PPME_USER_DELETED_E] = {"userdeleted",
2037 EC_PROCESS | EC_METAEVENT,
2038 EF_MODIFIES_STATE,
2039 6,
2040 {{"uid", PT_UINT32, PF_DEC},
2041 {"gid", PT_UINT32, PF_DEC},
2042 {"name", PT_CHARBUF, PF_NA},
2043 {"home", PT_CHARBUF, PF_NA},
2044 {"shell", PT_CHARBUF, PF_NA},
2045 {"container_id", PT_CHARBUF, PF_NA}}},
2046 [PPME_USER_DELETED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2047 [PPME_GROUP_ADDED_E] = {"groupadded",
2048 EC_PROCESS | EC_METAEVENT,
2049 EF_MODIFIES_STATE,
2050 3,
2051 {{"gid", PT_UINT32, PF_DEC},
2052 {"name", PT_CHARBUF, PF_NA},
2053 {"container_id", PT_CHARBUF, PF_NA}}},
2054 [PPME_GROUP_ADDED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2055 [PPME_GROUP_DELETED_E] = {"groupdeleted",
2056 EC_PROCESS | EC_METAEVENT,
2057 EF_MODIFIES_STATE,
2058 3,
2059 {{"gid", PT_UINT32, PF_DEC},
2060 {"name", PT_CHARBUF, PF_NA},
2061 {"container_id", PT_CHARBUF, PF_NA}}},
2062 [PPME_GROUP_DELETED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2063 [PPME_SYSCALL_DUP2_E] = {"dup2",
2064 EC_IO_OTHER | EC_SYSCALL,
2065 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2066 1,
2067 {{"fd", PT_FD, PF_DEC}}},
2068 [PPME_SYSCALL_DUP2_X] = {"dup2",
2069 EC_IO_OTHER | EC_SYSCALL,
2070 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2071 3,
2072 {{"res", PT_FD, PF_DEC},
2073 {"oldfd", PT_FD, PF_DEC},
2074 {"newfd", PT_FD, PF_DEC}}},
2075 [PPME_SYSCALL_DUP3_E] = {"dup3",
2076 EC_IO_OTHER | EC_SYSCALL,
2077 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2078 1,
2079 {{"fd", PT_FD, PF_DEC}}},
2080 [PPME_SYSCALL_DUP3_X] = {"dup3",
2081 EC_IO_OTHER | EC_SYSCALL,
2082 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2083 4,
2084 {{"res", PT_FD, PF_DEC},
2085 {"oldfd", PT_FD, PF_DEC},
2086 {"newfd", PT_FD, PF_DEC},
2087 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
2088 [PPME_SYSCALL_DUP_1_E] = {"dup",
2089 EC_IO_OTHER | EC_SYSCALL,
2090 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2091 1,
2092 {{"fd", PT_FD, PF_DEC}}},
2093 [PPME_SYSCALL_DUP_1_X] = {"dup",
2094 EC_IO_OTHER | EC_SYSCALL,
2095 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2096 2,
2097 {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC}}},
2098 [PPME_SYSCALL_BPF_2_E] =
2099 {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, {{"cmd", PT_INT64, PF_DEC}}},
2100 [PPME_SYSCALL_BPF_2_X] = {"bpf",
2101 EC_OTHER | EC_SYSCALL,
2102 EF_CREATES_FD,
2103 2,
2104 {{"fd", PT_FD, PF_DEC},
2105 {"cmd", PT_ENUMFLAGS32, PF_DEC, bpf_commands}}},
2106 [PPME_SYSCALL_MLOCK2_E] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 0},
2107 [PPME_SYSCALL_MLOCK2_X] = {"mlock2",
2108 EC_MEMORY | EC_SYSCALL,
2109 EF_NONE,
2110 4,
2111 {{"res", PT_ERRNO, PF_DEC},
2112 {"addr", PT_UINT64, PF_HEX},
2113 {"len", PT_UINT64, PF_DEC},
2114 {"flags", PT_FLAGS32, PF_HEX, mlock2_flags}}},
2115 [PPME_SYSCALL_FSCONFIG_E] = {"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_NONE, 0},
2116 [PPME_SYSCALL_FSCONFIG_X] = {"fsconfig",
2117 EC_SYSTEM | EC_SYSCALL,
2118 EF_USES_FD,
2119 7,
2120 {{"res", PT_ERRNO, PF_DEC},
2121 {"fd", PT_FD, PF_DEC},
2122 {"cmd", PT_ENUMFLAGS32, PF_DEC, fsconfig_cmds},
2123 {"key", PT_CHARBUF, PF_NA},
2124 {"value_bytebuf", PT_BYTEBUF, PF_NA},
2125 {"value_charbuf", PT_CHARBUF, PF_NA},
2126 {"aux", PT_INT32, PF_DEC}}},
2127 [PPME_SYSCALL_EPOLL_CREATE_E] = {"epoll_create",
2128 EC_WAIT | EC_SYSCALL,
2129 EF_CREATES_FD | EF_MODIFIES_STATE,
2130 1,
2131 {{"size", PT_INT32, PF_DEC}}},
2132 [PPME_SYSCALL_EPOLL_CREATE_X] = {"epoll_create",
2133 EC_WAIT | EC_SYSCALL,
2134 EF_CREATES_FD | EF_MODIFIES_STATE,
2135 1,
2136 {{"res", PT_ERRNO, PF_DEC}}},
2137 [PPME_SYSCALL_EPOLL_CREATE1_E] = {"epoll_create1",
2138 EC_WAIT | EC_SYSCALL,
2139 EF_CREATES_FD | EF_MODIFIES_STATE,
2140 1,
2141 {{"flags", PT_FLAGS32, PF_HEX, epoll_create1_flags}}},
2142 [PPME_SYSCALL_EPOLL_CREATE1_X] = {"epoll_create1",
2143 EC_WAIT | EC_SYSCALL,
2144 EF_CREATES_FD | EF_MODIFIES_STATE,
2145 1,
2146 {{"res", PT_ERRNO, PF_DEC}}},
2147 [PPME_SYSCALL_CHOWN_E] = {"chown", EC_FILE | EC_SYSCALL, EF_NONE, 0},
2148 [PPME_SYSCALL_CHOWN_X] = {"chown",
2149 EC_FILE | EC_SYSCALL,
2150 EF_NONE,
2151 4,
2152 {{"res", PT_ERRNO, PF_DEC},
2153 {"path", PT_FSPATH, PF_NA},
2154 {"uid", PT_UINT32, PF_DEC},
2155 {"gid", PT_UINT32, PF_DEC}}},
2156 [PPME_SYSCALL_LCHOWN_E] = {"lchown", EC_FILE | EC_SYSCALL, EF_NONE, 0},
2157 [PPME_SYSCALL_LCHOWN_X] = {"lchown",
2158 EC_FILE | EC_SYSCALL,
2159 EF_NONE,
2160 4,
2161 {{"res", PT_ERRNO, PF_DEC},
2162 {"path", PT_FSPATH, PF_NA},
2163 {"uid", PT_UINT32, PF_DEC},
2164 {"gid", PT_UINT32, PF_DEC}}},
2165 [PPME_SYSCALL_FCHOWN_E] = {"fchown", EC_FILE | EC_SYSCALL, EF_NONE, 0},
2166 [PPME_SYSCALL_FCHOWN_X] = {"fchown",
2167 EC_FILE | EC_SYSCALL,
2168 EF_USES_FD,
2169 4,
2170 {{"res", PT_ERRNO, PF_DEC},
2171 {"fd", PT_FD, PF_DEC},
2172 {"uid", PT_UINT32, PF_DEC},
2173 {"gid", PT_UINT32, PF_DEC}}},
2174 [PPME_SYSCALL_FCHOWNAT_E] = {"fchownat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
2175 [PPME_SYSCALL_FCHOWNAT_X] = {"fchownat",
2176 EC_FILE | EC_SYSCALL,
2177 EF_NONE,
2178 6,
2179 {{"res", PT_ERRNO, PF_DEC},
2180 {"dirfd", PT_FD, PF_DEC},
2181 {"pathname", PT_FSRELPATH, PF_NA, 1},
2182 {"uid", PT_UINT32, PF_DEC},
2183 {"gid", PT_UINT32, PF_DEC},
2184 {"flags", PT_FLAGS32, PF_HEX, fchownat_flags}}},
2185 [PPME_SYSCALL_UMOUNT_1_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 0},
2186 [PPME_SYSCALL_UMOUNT_1_X] = {"umount",
2187 EC_FILE | EC_SYSCALL,
2188 EF_MODIFIES_STATE,
2189 2,
2190 {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA}}},
2191 [PPME_SOCKET_ACCEPT4_6_E] = {"accept4",
2192 EC_NET | EC_SYSCALL,
2193 EF_CREATES_FD | EF_MODIFIES_STATE,
2194 1,
2195 {{"flags", PT_INT32, PF_HEX}}},
2196 [PPME_SOCKET_ACCEPT4_6_X] = {"accept4",
2197 EC_NET | EC_SYSCALL,
2198 EF_CREATES_FD | EF_MODIFIES_STATE,
2199 5,
2200 {{"fd", PT_FD, PF_DEC},
2201 {"tuple", PT_SOCKTUPLE, PF_NA},
2202 {"queuepct", PT_UINT8, PF_DEC},
2203 {"queuelen", PT_UINT32, PF_DEC},
2204 {"queuemax", PT_UINT32, PF_DEC}}},
2205 [PPME_SYSCALL_UMOUNT2_E] = {"umount2",
2206 EC_FILE | EC_SYSCALL,
2207 EF_MODIFIES_STATE,
2208 1,
2209 {{"flags", PT_FLAGS32, PF_HEX, umount_flags}}},
2210 [PPME_SYSCALL_UMOUNT2_X] = {"umount2",
2211 EC_FILE | EC_SYSCALL,
2212 EF_MODIFIES_STATE,
2213 2,
2214 {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA}}},
2215 [PPME_SYSCALL_PIPE2_E] = {"pipe2",
2216 EC_IPC | EC_SYSCALL,
2217 EF_CREATES_FD | EF_MODIFIES_STATE,
2218 0},
2219 [PPME_SYSCALL_PIPE2_X] = {"pipe2",
2220 EC_IPC | EC_SYSCALL,
2221 EF_CREATES_FD | EF_MODIFIES_STATE,
2222 5,
2223 {{"res", PT_ERRNO, PF_DEC},
2224 {"fd1", PT_FD, PF_DEC},
2225 {"fd2", PT_FD, PF_DEC},
2226 {"ino", PT_UINT64, PF_DEC},
2227 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
2228 [PPME_SYSCALL_INOTIFY_INIT1_E] = {"inotify_init1",
2229 EC_IPC | EC_SYSCALL,
2230 EF_CREATES_FD | EF_MODIFIES_STATE,
2231 0},
2232 [PPME_SYSCALL_INOTIFY_INIT1_X] = {"inotify_init1",
2233 EC_IPC | EC_SYSCALL,
2234 EF_CREATES_FD | EF_MODIFIES_STATE,
2235 2,
2236 {{"res", PT_FD, PF_DEC},
2237 {"flags", PT_FLAGS16, PF_HEX, file_flags}}},
2238 [PPME_SYSCALL_EVENTFD2_E] = {"eventfd2",
2239 EC_IPC | EC_SYSCALL,
2240 EF_CREATES_FD | EF_MODIFIES_STATE,
2241 1,
2242 {{"initval", PT_UINT64, PF_DEC}}},
2243 [PPME_SYSCALL_EVENTFD2_X] = {"eventfd2",
2244 EC_IPC | EC_SYSCALL,
2245 EF_CREATES_FD | EF_MODIFIES_STATE,
2246 2,
2247 {{"res", PT_FD, PF_DEC},
2248 {"flags", PT_FLAGS16, PF_HEX, file_flags}}},
2249 [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4",
2250 EC_SIGNAL | EC_SYSCALL,
2251 EF_CREATES_FD | EF_MODIFIES_STATE,
2252 2,
2253 {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}},
2254 [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4",
2255 EC_SIGNAL | EC_SYSCALL,
2256 EF_CREATES_FD | EF_MODIFIES_STATE,
2257 2,
2258 {{"res", PT_FD, PF_DEC},
2259 {"flags", PT_FLAGS16, PF_HEX, file_flags}}},
2260 [PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
2261 [PPME_SYSCALL_PRCTL_X] = {"prctl",
2262 EC_PROCESS | EC_SYSCALL,
2263 EF_MODIFIES_STATE,
2264 4,
2265 {{"res", PT_ERRNO, PF_DEC},
2266 {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options},
2267 {"arg2_str", PT_CHARBUF, PF_NA},
2268 {"arg2_int", PT_INT64, PF_DEC}}},
2269 [PPME_ASYNCEVENT_E] = {"asyncevent",
2270 EC_OTHER | EC_METAEVENT,
2271 EF_LARGE_PAYLOAD,
2272 3,
2273 {{"plugin_id", PT_UINT32, PF_DEC},
2274 {"name", PT_CHARBUF, PF_NA},
2275 {"data", PT_BYTEBUF, PF_NA}}},
2276 [PPME_ASYNCEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2277 [PPME_SYSCALL_MEMFD_CREATE_E] = {"memfd_create",
2278 EC_MEMORY | EC_SYSCALL,
2279 EF_CREATES_FD | EF_MODIFIES_STATE,
2280 0},
2281 [PPME_SYSCALL_MEMFD_CREATE_X] = {"memfd_create",
2282 EC_MEMORY | EC_SYSCALL,
2283 EF_CREATES_FD | EF_MODIFIES_STATE,
2284 3,
2285 {{"fd", PT_FD, PF_DEC},
2286 {"name", PT_CHARBUF, PF_NA},
2287 {"flags", PT_FLAGS32, PF_HEX, memfd_create_flags}}},
2288 [PPME_SYSCALL_PIDFD_GETFD_E] = {"pidfd_getfd",
2289 EC_PROCESS | EC_SYSCALL,
2290 EF_CREATES_FD | EF_MODIFIES_STATE,
2291 0},
2292 [PPME_SYSCALL_PIDFD_GETFD_X] = {"pidfd_getfd",
2293 EC_PROCESS | EC_SYSCALL,
2294 EF_CREATES_FD | EF_MODIFIES_STATE,
2295 4,
2296 {{"fd", PT_FD, PF_DEC},
2297 {"pid_fd", PT_FD, PF_DEC},
2298 {"target_fd", PT_FD, PF_DEC},
2299 {"flags", PT_UINT32, PF_HEX}}},
2300 [PPME_SYSCALL_PIDFD_OPEN_E] = {"pidfd_open",
2301 EC_PROCESS | EC_SYSCALL,
2302 EF_CREATES_FD | EF_MODIFIES_STATE,
2303 0},
2304 [PPME_SYSCALL_PIDFD_OPEN_X] = {"pidfd_open",
2305 EC_PROCESS | EC_SYSCALL,
2306 EF_CREATES_FD | EF_MODIFIES_STATE,
2307 3,
2308 {{"fd", PT_FD, PF_DEC},
2309 {"pid", PT_PID, PF_DEC},
2310 {"flags", PT_FLAGS32, PF_HEX, pidfd_open_flags}}},
2311 [PPME_SYSCALL_INIT_MODULE_E] = {"init_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
2312 [PPME_SYSCALL_INIT_MODULE_X] = {"init_module",
2313 EC_OTHER | EC_SYSCALL,
2314 EF_NONE,
2315 4,
2316 {{"res", PT_ERRNO, PF_DEC},
2317 {"img", PT_BYTEBUF, PF_NA},
2318 {"length", PT_UINT64, PF_DEC},
2319 {"uargs", PT_CHARBUF, PF_NA}}},
2320 [PPME_SYSCALL_FINIT_MODULE_E] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
2321 [PPME_SYSCALL_FINIT_MODULE_X] = {"finit_module",
2322 EC_OTHER | EC_SYSCALL,
2323 EF_USES_FD | EF_READS_FROM_FD,
2324 4,
2325 {{"res", PT_ERRNO, PF_DEC},
2326 {"fd", PT_FD, PF_DEC},
2327 {"uargs", PT_CHARBUF, PF_NA},
2328 {"flags", PT_FLAGS32, PF_HEX, finit_module_flags}}},
2329 [PPME_SYSCALL_MKNOD_E] = {"mknod", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
2330 [PPME_SYSCALL_MKNOD_X] = {"mknod",
2331 EC_OTHER | EC_SYSCALL,
2332 EF_NONE,
2333 4,
2334 {{"res", PT_ERRNO, PF_DEC},
2335 {"path", PT_FSPATH, PF_NA},
2336 {"mode", PT_MODE, PF_OCT, mknod_mode},
2337 {"dev", PT_UINT32, PF_DEC}}},
2338 [PPME_SYSCALL_MKNODAT_E] = {"mknodat", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
2339 [PPME_SYSCALL_MKNODAT_X] = {"mknodat",
2340 EC_OTHER | EC_SYSCALL,
2341 EF_USES_FD,
2342 5,
2343 {{"res", PT_ERRNO, PF_DEC},
2344 {"dirfd", PT_FD, PF_DEC},
2345 {"path", PT_FSRELPATH, PF_NA, 1},
2346 {"mode", PT_MODE, PF_OCT, mknod_mode},
2347 {"dev", PT_UINT32, PF_DEC}}},
2348 [PPME_SYSCALL_NEWFSTATAT_E] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
2349 [PPME_SYSCALL_NEWFSTATAT_X] = {"newfstatat",
2350 EC_FILE | EC_SYSCALL,
2351 EF_USES_FD,
2352 4,
2353 {{"res", PT_ERRNO, PF_DEC},
2354 {"dirfd", PT_FD, PF_DEC},
2355 {"path", PT_FSRELPATH, PF_NA, 1},
2356 {"flags", PT_FLAGS32, PF_HEX, newfstatat_flags}}},
2357 [PPME_SYSCALL_PROCESS_VM_READV_E] = {"process_vm_readv", EC_SYSCALL | EC_IPC, EF_NONE, 0},
2358 [PPME_SYSCALL_PROCESS_VM_READV_X] = {"process_vm_readv",
2359 EC_SYSCALL | EC_IPC,
2360 EF_NONE,
2361 3,
2362 {{"res", PT_INT64, PF_DEC},
2363 {"pid", PT_PID, PF_DEC},
2364 {"data", PT_BYTEBUF, PF_NA}}},
2365 [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 0},
2366 [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev",
2367 EC_SYSCALL | EC_IPC,
2368 EF_NONE,
2369 3,
2370 {{"res", PT_INT64, PF_DEC},
2371 {"pid", PT_PID, PF_DEC},
2372 {"data", PT_BYTEBUF, PF_NA}}},
2373 [PPME_SYSCALL_DELETE_MODULE_E] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
2374 [PPME_SYSCALL_DELETE_MODULE_X] = {"delete_module",
2375 EC_OTHER | EC_SYSCALL,
2376 EF_NONE,
2377 3,
2378 {{"res", PT_ERRNO, PF_DEC},
2379 {"name", PT_CHARBUF, PF_NA},
2380 {"flags", PT_FLAGS32, PF_HEX, delete_module_flags}}},
2381 [PPME_SYSCALL_SETREUID_E] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 0},
2382 [PPME_SYSCALL_SETREUID_X] = {"setreuid",
2383 EC_USER | EC_SYSCALL,
2384 EF_MODIFIES_STATE,
2385 3,
2386 {{"res", PT_ERRNO, PF_DEC},
2387 {"ruid", PT_UID, PF_DEC},
2388 {"euid", PT_UID, PF_DEC}}},
2389 [PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_NONE, 0},
2390 [PPME_SYSCALL_SETREGID_X] = {"setregid",
2391 EC_USER | EC_SYSCALL,
2392 EF_MODIFIES_STATE,
2393 3,
2394 {{"res", PT_ERRNO, PF_DEC},
2395 {"rgid", PT_UID, PF_DEC},
2396 {"egid", PT_UID, PF_DEC}}},
2397}