1use falco_schema_derive::event_info;
2
3event_info! {
4 [PPME_GENERIC_E] = {"syscall",
5 EC_OTHER | EC_SYSCALL,
6 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
7 2,
8 {{"id", PT_SYSCALLID, PF_DEC}, {"native_id", PT_UINT16, PF_DEC}}},
9 [PPME_GENERIC_X] = {"syscall",
10 EC_OTHER | EC_SYSCALL,
11 EF_CONVERTER_MANAGED,
12 2,
13 {{"id", PT_SYSCALLID, PF_DEC}, {"native_id", PT_UINT16, PF_DEC}}},
14 [PPME_SYSCALL_OPEN_E] = {"open",
15 EC_FILE | EC_SYSCALL,
16 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
17 3,
18 {{"name", PT_FSPATH, PF_NA},
19 {"flags", PT_FLAGS32, PF_HEX, file_flags},
20 {"mode", PT_UINT32, PF_OCT}}},
21 [PPME_SYSCALL_OPEN_X] = {"open",
22 EC_FILE | EC_SYSCALL,
23 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
24 6,
25 {{"fd", PT_FD, PF_DEC},
26 {"name", PT_FSPATH, PF_NA},
27 {"flags", PT_FLAGS32, PF_HEX, file_flags},
28 {"mode", PT_UINT32, PF_OCT},
29 {"dev", PT_UINT32, PF_HEX},
30 {"ino", PT_UINT64, PF_DEC}}},
31 [PPME_SYSCALL_CLOSE_E] = {"close",
32 EC_IO_OTHER | EC_SYSCALL,
33 EF_OLD_VERSION | EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE |
34 EF_CONVERTER_MANAGED,
35 1,
36 {{"fd", PT_FD, PF_DEC}}},
37 [PPME_SYSCALL_CLOSE_X] = {"close",
38 EC_IO_OTHER | EC_SYSCALL,
39 EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE |
40 EF_CONVERTER_MANAGED,
41 2,
42 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}}},
43 [PPME_SYSCALL_READ_E] = {"read",
44 EC_IO_READ | EC_SYSCALL,
45 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
46 EF_CONVERTER_MANAGED,
47 2,
48 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
49 [PPME_SYSCALL_READ_X] = {"read",
50 EC_IO_READ | EC_SYSCALL,
51 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
52 4,
53 {{"res", PT_ERRNO, PF_DEC},
54 {"data", PT_BYTEBUF, PF_NA},
55 {"fd", PT_FD, PF_DEC},
56 {"size", PT_UINT32, PF_DEC}}},
57 [PPME_SYSCALL_WRITE_E] = {"write",
58 EC_IO_WRITE | EC_SYSCALL,
59 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
60 EF_CONVERTER_MANAGED,
61 2,
62 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
63 [PPME_SYSCALL_WRITE_X] = {"write",
64 EC_IO_WRITE | EC_SYSCALL,
65 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
66 4,
67 {{"res", PT_ERRNO, PF_DEC},
68 {"data", PT_BYTEBUF, PF_NA},
69 {"fd", PT_FD, PF_DEC},
70 {"size", PT_UINT32, PF_DEC}}},
71 [PPME_SYSCALL_BRK_1_E] = {"brk",
72 EC_MEMORY | EC_SYSCALL,
73 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
74 1,
75 {{"size", PT_UINT32, PF_DEC}}},
76 [PPME_SYSCALL_BRK_1_X] = {"brk",
77 EC_MEMORY | EC_SYSCALL,
78 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
79 1,
80 {{"res", PT_UINT64, PF_HEX}}},
81 [PPME_SYSCALL_EXECVE_8_E] = {"execve",
82 EC_PROCESS | EC_SYSCALL,
83 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
84 0},
85 [PPME_SYSCALL_EXECVE_8_X] = {"execve",
86 EC_PROCESS | EC_SYSCALL,
87 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
88 8,
89 {{"res", PT_ERRNO, PF_DEC},
90 {"exe", PT_CHARBUF, PF_NA},
91 {"args", PT_BYTEBUF, PF_NA},
92 {"tid", PT_PID, PF_DEC},
93 {"pid", PT_PID, PF_DEC},
94 {"ptid", PT_PID, PF_DEC},
95 {"cwd", PT_CHARBUF, PF_NA},
96 {"fdlimit", PT_UINT64, PF_DEC}}},
97 [PPME_SYSCALL_CLONE_11_E] = {"clone",
98 EC_PROCESS | EC_SYSCALL,
99 EF_OLD_VERSION | EF_MODIFIES_STATE,
100 0},
101 [PPME_SYSCALL_CLONE_11_X] = {"clone",
102 EC_PROCESS | EC_SYSCALL,
103 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
104 11,
105 {{"res", PT_PID, PF_DEC},
106 {"exe", PT_CHARBUF, PF_NA},
107 {"args", PT_BYTEBUF, PF_NA},
108 {"tid", PT_PID, PF_DEC},
109 {"pid", PT_PID, PF_DEC},
110 {"ptid", PT_PID, PF_DEC},
111 {"cwd", PT_CHARBUF, PF_NA},
112 {"fdlimit", PT_INT64, PF_DEC},
113 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
114 {"uid", PT_UINT32, PF_DEC},
115 {"gid", PT_UINT32, PF_DEC}}},
116 [PPME_PROCEXIT_E] = {"procexit",
117 EC_PROCESS | EC_TRACEPOINT,
118 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
119 0},
120 [PPME_PROCEXIT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
121 [PPME_SOCKET_SOCKET_E] = {"socket",
122 EC_NET | EC_SYSCALL,
123 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
124 EF_CONVERTER_MANAGED,
125 3,
126 {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
127 {"type", PT_UINT32, PF_DEC},
128 {"proto", PT_UINT32, PF_DEC}}},
129 [PPME_SOCKET_SOCKET_X] = {"socket",
130 EC_NET | EC_SYSCALL,
131 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
132 5,
133 {{"fd", PT_FD, PF_DEC},
134 {"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
135 {"type", PT_UINT32, PF_DEC},
136 {"proto", PT_UINT32, PF_DEC},
137 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
138 [PPME_SOCKET_BIND_E] = {"bind",
139 EC_NET | EC_SYSCALL,
140 EF_OLD_VERSION | EF_USES_FD | EF_MODIFIES_STATE |
141 EF_CONVERTER_MANAGED,
142 1,
143 {{"fd", PT_FD, PF_DEC}}},
144 [PPME_SOCKET_BIND_X] = {"bind",
145 EC_NET | EC_SYSCALL,
146 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
147 3,
148 {{"res", PT_ERRNO, PF_DEC},
149 {"addr", PT_SOCKADDR, PF_NA},
150 {"fd", PT_FD, PF_DEC}}},
151 [PPME_SOCKET_CONNECT_E] = {"connect",
152 EC_NET | EC_SYSCALL,
153 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
154 2,
155 {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA}}},
156 [PPME_SOCKET_CONNECT_X] = {"connect",
157 EC_NET | EC_SYSCALL,
158 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
159 4,
160 {{"res", PT_ERRNO, PF_DEC},
161 {"tuple", PT_SOCKTUPLE, PF_NA},
162 {"fd", PT_FD, PF_DEC},
163 {"addr", PT_SOCKADDR, PF_NA}}},
164 [PPME_SOCKET_LISTEN_E] = {"listen",
165 EC_NET | EC_SYSCALL,
166 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
167 2,
168 {{"fd", PT_FD, PF_DEC}, {"backlog", PT_INT32, PF_DEC}}},
169 [PPME_SOCKET_LISTEN_X] = {"listen",
170 EC_NET | EC_SYSCALL,
171 EF_USES_FD | EF_CONVERTER_MANAGED,
172 3,
173 {{"res", PT_ERRNO, PF_DEC},
174 {"fd", PT_FD, PF_DEC},
175 {"backlog", PT_INT32, PF_DEC}}},
176 [PPME_SOCKET_ACCEPT_E] = {"accept",
177 EC_NET | EC_SYSCALL,
178 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
179 0},
180 [PPME_SOCKET_ACCEPT_X] = {"accept",
181 EC_NET | EC_SYSCALL,
182 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
183 EF_CONVERTER_MANAGED,
184 3,
185 {{"fd", PT_FD, PF_DEC},
186 {"tuple", PT_SOCKTUPLE, PF_NA},
187 {"queuepct", PT_UINT8, PF_DEC}}},
188 [PPME_SOCKET_SEND_E] = {"send",
189 EC_IO_WRITE | EC_SYSCALL,
190 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
191 EF_CONVERTER_MANAGED,
192 2,
193 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
194 [PPME_SOCKET_SEND_X] = {"send",
195 EC_IO_WRITE | EC_SYSCALL,
196 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
197 5,
198 {{"res", PT_ERRNO, PF_DEC},
199 {"data", PT_BYTEBUF, PF_NA},
200 {"fd", PT_FD, PF_DEC},
201 {"size", PT_UINT32, PF_DEC},
202 {"tuple", PT_SOCKTUPLE, PF_NA}}},
203 [PPME_SOCKET_SENDTO_E] = {"sendto",
204 EC_IO_WRITE | EC_SYSCALL,
205 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
206 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
207 3,
208 {{"fd", PT_FD, PF_DEC},
209 {"size", PT_UINT32, PF_DEC},
210 {"tuple", PT_SOCKTUPLE, PF_NA}}},
211 [PPME_SOCKET_SENDTO_X] = {"sendto",
212 EC_IO_WRITE | EC_SYSCALL,
213 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE |
214 EF_CONVERTER_MANAGED,
215 5,
216 {{"res", PT_ERRNO, PF_DEC},
217 {"data", PT_BYTEBUF, PF_NA},
218 {"fd", PT_FD, PF_DEC},
219 {"size", PT_UINT32, PF_DEC},
220 {"tuple", PT_SOCKTUPLE, PF_NA}}},
221 [PPME_SOCKET_RECV_E] = {"recv",
222 EC_IO_READ | EC_SYSCALL,
223 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
224 EF_CONVERTER_MANAGED,
225 2,
226 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
227 [PPME_SOCKET_RECV_X] = {"recv",
228 EC_IO_READ | EC_SYSCALL,
229 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
230 5,
231 {{"res", PT_ERRNO, PF_DEC},
232 {"data", PT_BYTEBUF, PF_NA},
233 {"fd", PT_FD, PF_DEC},
234 {"size", PT_UINT32, PF_DEC},
235 {"tuple", PT_SOCKTUPLE, PF_NA}}},
236 [PPME_SOCKET_RECVFROM_E] = {"recvfrom",
237 EC_IO_READ | EC_SYSCALL,
238 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
239 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
240 2,
241 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
242 [PPME_SOCKET_RECVFROM_X] = {"recvfrom",
243 EC_IO_READ | EC_SYSCALL,
244 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE |
245 EF_CONVERTER_MANAGED,
246 5,
247 {{"res", PT_ERRNO, PF_DEC},
248 {"data", PT_BYTEBUF, PF_NA},
249 {"tuple", PT_SOCKTUPLE, PF_NA},
250 {"fd", PT_FD, PF_DEC},
251 {"size", PT_UINT32, PF_DEC}}},
252 [PPME_SOCKET_SHUTDOWN_E] = {"shutdown",
253 EC_NET | EC_SYSCALL,
254 EF_OLD_VERSION | EF_USES_FD | EF_MODIFIES_STATE |
255 EF_CONVERTER_MANAGED,
256 2,
257 {{"fd", PT_FD, PF_DEC},
258 {"how", PT_ENUMFLAGS8, PF_HEX, shutdown_how}}},
259 [PPME_SOCKET_SHUTDOWN_X] = {"shutdown",
260 EC_NET | EC_SYSCALL,
261 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
262 3,
263 {{"res", PT_ERRNO, PF_DEC},
264 {"fd", PT_FD, PF_DEC},
265 {"how", PT_ENUMFLAGS8, PF_HEX, shutdown_how}}},
266 [PPME_SOCKET_GETSOCKNAME_E] = {"getsockname", EC_NET | EC_SYSCALL, EF_OLD_VERSION, 0},
267 [PPME_SOCKET_GETSOCKNAME_X] = {"getsockname", EC_NET | EC_SYSCALL, EF_NONE, 0},
268 [PPME_SOCKET_GETPEERNAME_E] = {"getpeername", EC_NET | EC_SYSCALL, EF_OLD_VERSION, 0},
269 [PPME_SOCKET_GETPEERNAME_X] = {"getpeername", EC_NET | EC_SYSCALL, EF_NONE, 0},
270 [PPME_SOCKET_SOCKETPAIR_E] = {"socketpair",
271 EC_IPC | EC_SYSCALL,
272 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
273 EF_CONVERTER_MANAGED,
274 3,
275 {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
276 {"type", PT_UINT32, PF_DEC},
277 {"proto", PT_UINT32, PF_DEC}}},
278 [PPME_SOCKET_SOCKETPAIR_X] = {"socketpair",
279 EC_IPC | EC_SYSCALL,
280 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
281 8,
282 {{"res", PT_ERRNO, PF_DEC},
283 {"fd1", PT_FD, PF_DEC},
284 {"fd2", PT_FD, PF_DEC},
285 {"source", PT_UINT64, PF_HEX},
286 {"peer", PT_UINT64, PF_HEX},
287 {"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
288 {"type", PT_UINT32, PF_DEC},
289 {"proto", PT_UINT32, PF_DEC}}},
290 [PPME_SOCKET_SETSOCKOPT_E] = {"setsockopt", EC_NET | EC_SYSCALL, EF_OLD_VERSION, 0},
291 [PPME_SOCKET_SETSOCKOPT_X] =
292 {"setsockopt",
293 EC_NET | EC_SYSCALL,
294 EF_USES_FD,
295 6,
296 {{"res", PT_ERRNO, PF_DEC},
297 {"fd", PT_FD, PF_DEC},
298 {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels},
299 {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options},
300 {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX},
301 {"optlen", PT_UINT32, PF_DEC}}},
302 [PPME_SOCKET_GETSOCKOPT_E] = {"getsockopt",
303 EC_NET | EC_SYSCALL,
304 EF_OLD_VERSION | EF_MODIFIES_STATE,
305 0},
306 [PPME_SOCKET_GETSOCKOPT_X] =
307 {"getsockopt",
308 EC_NET | EC_SYSCALL,
309 EF_USES_FD | EF_MODIFIES_STATE,
310 6,
311 {{"res", PT_ERRNO, PF_DEC},
312 {"fd", PT_FD, PF_DEC},
313 {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels},
314 {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options},
315 {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX},
316 {"optlen", PT_UINT32, PF_DEC}}},
317 [PPME_SOCKET_SENDMSG_E] = {"sendmsg",
318 EC_IO_WRITE | EC_SYSCALL,
319 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
320 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
321 3,
322 {{"fd", PT_FD, PF_DEC},
323 {"size", PT_UINT32, PF_DEC},
324 {"tuple", PT_SOCKTUPLE, PF_NA}}},
325 [PPME_SOCKET_SENDMSG_X] = {"sendmsg",
326 EC_IO_WRITE | EC_SYSCALL,
327 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE |
328 EF_CONVERTER_MANAGED,
329 5,
330 {{"res", PT_ERRNO, PF_DEC},
331 {"data", PT_BYTEBUF, PF_NA},
332 {"fd", PT_FD, PF_DEC},
333 {"size", PT_UINT32, PF_DEC},
334 {"tuple", PT_SOCKTUPLE, PF_NA}}},
335 [PPME_SOCKET_SENDMMSG_E] = {"sendmmsg", EC_IO_WRITE | EC_SYSCALL, EF_OLD_VERSION, 0},
336 [PPME_SOCKET_SENDMMSG_X] = {"sendmmsg",
337 EC_IO_WRITE | EC_SYSCALL,
338 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE |
339 EF_CONVERTER_MANAGED,
340 5,
341 {{"res", PT_ERRNO, PF_DEC},
342 {"fd", PT_FD, PF_DEC},
343 {"size", PT_UINT32, PF_DEC},
344 {"data", PT_BYTEBUF, PF_NA},
345 {"tuple", PT_SOCKTUPLE, PF_NA}}},
346 [PPME_SOCKET_RECVMSG_E] = {"recvmsg",
347 EC_IO_READ | EC_SYSCALL,
348 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
349 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
350 1,
351 {{"fd", PT_FD, PF_DEC}}},
352 [PPME_SOCKET_RECVMSG_X] = {"recvmsg",
353 EC_IO_READ | EC_SYSCALL,
354 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE |
355 EF_CONVERTER_MANAGED,
356 6,
357 {{"res", PT_ERRNO, PF_DEC},
358 {"size", PT_UINT32, PF_DEC},
359 {"data", PT_BYTEBUF, PF_NA},
360 {"tuple", PT_SOCKTUPLE, PF_NA},
361 {"msgcontrol", PT_BYTEBUF, PF_NA},
362 {"fd", PT_FD, PF_DEC}}},
363 [PPME_SOCKET_RECVMMSG_E] = {"recvmmsg", EC_IO_READ | EC_SYSCALL, EF_OLD_VERSION, 0},
364 [PPME_SOCKET_RECVMMSG_X] = {"recvmmsg",
365 EC_IO_READ | EC_SYSCALL,
366 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE |
367 EF_CONVERTER_MANAGED,
368 6,
369 {{"res", PT_ERRNO, PF_DEC},
370 {"fd", PT_FD, PF_DEC},
371 {"size", PT_UINT32, PF_DEC},
372 {"data", PT_BYTEBUF, PF_NA},
373 {"tuple", PT_SOCKTUPLE, PF_NA},
374 {"msgcontrol", PT_BYTEBUF, PF_NA}}},
375 [PPME_SOCKET_ACCEPT4_E] = {"accept",
376 EC_NET | EC_SYSCALL,
377 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
378 EF_CONVERTER_MANAGED,
379 1,
380 {{"flags", PT_INT32, PF_HEX}}},
381 [PPME_SOCKET_ACCEPT4_X] = {"accept",
382 EC_NET | EC_SYSCALL,
383 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
384 EF_CONVERTER_MANAGED,
385 3,
386 {{"fd", PT_FD, PF_DEC},
387 {"tuple", PT_SOCKTUPLE, PF_NA},
388 {"queuepct", PT_UINT8, PF_DEC}}},
389 [PPME_SYSCALL_CREAT_E] = {"creat",
390 EC_FILE | EC_SYSCALL,
391 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
392 2,
393 {{"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT}}},
394 [PPME_SYSCALL_CREAT_X] = {"creat",
395 EC_FILE | EC_SYSCALL,
396 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
397 6,
398 {{"fd", PT_FD, PF_DEC},
399 {"name", PT_FSPATH, PF_NA},
400 {"mode", PT_UINT32, PF_OCT},
401 {"dev", PT_UINT32, PF_HEX},
402 {"ino", PT_UINT64, PF_DEC},
403 {"creat_flags", PT_FLAGS16, PF_HEX, creat_flags}}},
404 [PPME_SYSCALL_PIPE_E] = {"pipe",
405 EC_IPC | EC_SYSCALL,
406 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
407 0},
408 [PPME_SYSCALL_PIPE_X] = {"pipe",
409 EC_IPC | EC_SYSCALL,
410 EF_CREATES_FD | EF_MODIFIES_STATE,
411 4,
412 {{"res", PT_ERRNO, PF_DEC},
413 {"fd1", PT_FD, PF_DEC},
414 {"fd2", PT_FD, PF_DEC},
415 {"ino", PT_UINT64, PF_DEC}}},
416 [PPME_SYSCALL_EVENTFD_E] = {"eventfd",
417 EC_IPC | EC_SYSCALL,
418 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
419 EF_CONVERTER_MANAGED,
420 2,
421 {{"initval", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX}}},
422 [PPME_SYSCALL_EVENTFD_X] = {"eventfd",
423 EC_IPC | EC_SYSCALL,
424 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
425 3,
426 {{"res", PT_FD, PF_DEC},
427 {"initval", PT_UINT64, PF_DEC},
428 {"flags", PT_UINT32, PF_HEX}}},
429 [PPME_SYSCALL_FUTEX_E] = {"futex",
430 EC_IPC | EC_SYSCALL,
431 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
432 3,
433 {{"addr", PT_UINT64, PF_HEX},
434 {"op", PT_FLAGS16, PF_HEX, futex_operations},
435 {"val", PT_UINT64, PF_DEC}}},
436 [PPME_SYSCALL_FUTEX_X] = {"futex",
437 EC_IPC | EC_SYSCALL,
438 EF_CONVERTER_MANAGED,
439 4,
440 {{"res", PT_ERRNO, PF_DEC},
441 {"addr", PT_UINT64, PF_HEX},
442 {"op", PT_FLAGS16, PF_HEX, futex_operations},
443 {"val", PT_UINT64, PF_DEC}}},
444 [PPME_SYSCALL_STAT_E] = {"stat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
445 [PPME_SYSCALL_STAT_X] = {"stat",
446 EC_FILE | EC_SYSCALL,
447 EF_NONE,
448 2,
449 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
450 [PPME_SYSCALL_LSTAT_E] = {"lstat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
451 [PPME_SYSCALL_LSTAT_X] = {"lstat",
452 EC_FILE | EC_SYSCALL,
453 EF_NONE,
454 2,
455 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
456 [PPME_SYSCALL_FSTAT_E] = {"fstat",
457 EC_FILE | EC_SYSCALL,
458 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
459 1,
460 {{"fd", PT_FD, PF_NA}}},
461 [PPME_SYSCALL_FSTAT_X] = {"fstat",
462 EC_FILE | EC_SYSCALL,
463 EF_USES_FD | EF_CONVERTER_MANAGED,
464 2,
465 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_NA}}},
466 [PPME_SYSCALL_STAT64_E] = {"stat64", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
467 [PPME_SYSCALL_STAT64_X] = {"stat64",
468 EC_FILE | EC_SYSCALL,
469 EF_NONE,
470 2,
471 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
472 [PPME_SYSCALL_LSTAT64_E] = {"lstat64", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
473 [PPME_SYSCALL_LSTAT64_X] = {"lstat64",
474 EC_FILE | EC_SYSCALL,
475 EF_NONE,
476 2,
477 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
478 [PPME_SYSCALL_FSTAT64_E] = {"fstat64",
479 EC_FILE | EC_SYSCALL,
480 EF_OLD_VERSION | EF_USES_FD,
481 1,
482 {{"fd", PT_FD, PF_NA}}},
483 [PPME_SYSCALL_FSTAT64_X] =
484 {"fstat64", EC_FILE | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
485 [PPME_SYSCALL_EPOLLWAIT_E] = {"epoll_wait",
486 EC_WAIT | EC_SYSCALL,
487 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
488 1,
489 {{"maxevents", PT_ERRNO, PF_DEC}}},
490 [PPME_SYSCALL_EPOLLWAIT_X] = {"epoll_wait",
491 EC_WAIT | EC_SYSCALL,
492 EF_WAITS | EF_CONVERTER_MANAGED,
493 2,
494 {{"res", PT_ERRNO, PF_DEC}, {"maxevents", PT_ERRNO, PF_DEC}}},
495 [PPME_SYSCALL_POLL_E] = {"poll",
496 EC_WAIT | EC_SYSCALL,
497 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
498 2,
499 {{"fds", PT_FDLIST, PF_DEC}, {"timeout", PT_INT64, PF_DEC}}},
500 [PPME_SYSCALL_POLL_X] = {"poll",
501 EC_WAIT | EC_SYSCALL,
502 EF_WAITS | EF_CONVERTER_MANAGED,
503 3,
504 {{"res", PT_ERRNO, PF_DEC},
505 {"fds", PT_FDLIST, PF_DEC},
506 {"timeout", PT_INT64, PF_DEC}}},
507 [PPME_SYSCALL_SELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_OLD_VERSION | EF_WAITS, 0},
508 [PPME_SYSCALL_SELECT_X] =
509 {"select", EC_WAIT | EC_SYSCALL, EF_WAITS, 1, {{"res", PT_ERRNO, PF_DEC}}},
510 [PPME_SYSCALL_NEWSELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_OLD_VERSION | EF_WAITS, 0},
511 [PPME_SYSCALL_NEWSELECT_X] = {"select",
512 EC_WAIT | EC_SYSCALL,
513 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
514 1,
515 {{"res", PT_ERRNO, PF_DEC}}},
516 [PPME_SYSCALL_LSEEK_E] = {"lseek",
517 EC_FILE | EC_SYSCALL,
518 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
519 3,
520 {{"fd", PT_FD, PF_DEC},
521 {"offset", PT_UINT64, PF_DEC},
522 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
523 [PPME_SYSCALL_LSEEK_X] = {"lseek",
524 EC_FILE | EC_SYSCALL,
525 EF_USES_FD | EF_CONVERTER_MANAGED,
526 4,
527 {{"res", PT_ERRNO, PF_DEC},
528 {"fd", PT_FD, PF_DEC},
529 {"offset", PT_UINT64, PF_DEC},
530 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
531 [PPME_SYSCALL_LLSEEK_E] = {"llseek",
532 EC_FILE | EC_SYSCALL,
533 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
534 3,
535 {{"fd", PT_FD, PF_DEC},
536 {"offset", PT_UINT64, PF_DEC},
537 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
538 [PPME_SYSCALL_LLSEEK_X] = {"llseek",
539 EC_FILE | EC_SYSCALL,
540 EF_USES_FD | EF_CONVERTER_MANAGED,
541 4,
542 {{"res", PT_ERRNO, PF_DEC},
543 {"fd", PT_FD, PF_DEC},
544 {"offset", PT_UINT64, PF_DEC},
545 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
546 [PPME_SYSCALL_IOCTL_2_E] = {"ioctl",
547 EC_IO_OTHER | EC_SYSCALL,
548 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
549 2,
550 {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX}}},
551 [PPME_SYSCALL_IOCTL_2_X] = {"ioctl",
552 EC_IO_OTHER | EC_SYSCALL,
553 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
554 1,
555 {{"res", PT_ERRNO, PF_DEC}}},
556 [PPME_SYSCALL_GETCWD_E] = {"getcwd", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
557 [PPME_SYSCALL_GETCWD_X] = {"getcwd",
560 EC_FILE | EC_SYSCALL,
561 EF_NONE,
562 2,
563 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA}}},
564 [PPME_SYSCALL_CHDIR_E] = {"chdir",
567 EC_FILE | EC_SYSCALL,
568 EF_OLD_VERSION | EF_MODIFIES_STATE,
569 0},
570 [PPME_SYSCALL_CHDIR_X] = {"chdir",
571 EC_FILE | EC_SYSCALL,
572 EF_MODIFIES_STATE,
573 2,
574 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA}}},
575 [PPME_SYSCALL_FCHDIR_E] = {"fchdir",
576 EC_FILE | EC_SYSCALL,
577 EF_OLD_VERSION | EF_USES_FD | EF_MODIFIES_STATE |
578 EF_CONVERTER_MANAGED,
579 1,
580 {{"fd", PT_FD, PF_NA}}},
581 [PPME_SYSCALL_FCHDIR_X] = {"fchdir",
582 EC_FILE | EC_SYSCALL,
583 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
584 2,
585 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_NA}}},
586 [PPME_SYSCALL_MKDIR_E] = {"mkdir",
587 EC_FILE | EC_SYSCALL,
588 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
589 2,
590 {{"path", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_HEX}}},
591 [PPME_SYSCALL_MKDIR_X] = {"mkdir",
592 EC_FILE | EC_SYSCALL,
593 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
594 1,
595 {{"res", PT_ERRNO, PF_DEC}}},
596 [PPME_SYSCALL_RMDIR_E] = {"rmdir",
597 EC_FILE | EC_SYSCALL,
598 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
599 1,
600 {{"path", PT_FSPATH, PF_NA}}},
601 [PPME_SYSCALL_RMDIR_X] = {"rmdir",
602 EC_FILE | EC_SYSCALL,
603 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
604 1,
605 {{"res", PT_ERRNO, PF_DEC}}},
606 [PPME_SYSCALL_OPENAT_E] = {"openat",
607 EC_FILE | EC_SYSCALL,
608 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
609 EF_CONVERTER_MANAGED,
610 4,
611 {{"dirfd", PT_FD, PF_DEC},
612 {"name", PT_CHARBUF, PF_NA},
613 {"flags", PT_FLAGS32, PF_HEX, file_flags},
614 {"mode", PT_UINT32, PF_OCT}}},
615 [PPME_SYSCALL_OPENAT_X] = {"openat",
616 EC_FILE | EC_SYSCALL,
617 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
618 EF_CONVERTER_MANAGED,
619 1,
620 {{"fd", PT_FD, PF_DEC}}},
621 [PPME_SYSCALL_LINK_E] = {"link",
622 EC_FILE | EC_SYSCALL,
623 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
624 2,
625 {{"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA}}},
626 [PPME_SYSCALL_LINK_X] = {"link",
627 EC_FILE | EC_SYSCALL,
628 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
629 1,
630 {{"res", PT_ERRNO, PF_DEC}}},
631 [PPME_SYSCALL_LINKAT_E] = {"linkat",
632 EC_FILE | EC_SYSCALL,
633 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
634 4,
635 {{"olddir", PT_FD, PF_DEC},
636 {"oldpath", PT_CHARBUF, PF_NA},
637 {"newdir", PT_FD, PF_DEC},
638 {"newpath", PT_CHARBUF, PF_NA}}},
639 [PPME_SYSCALL_LINKAT_X] = {"linkat",
640 EC_FILE | EC_SYSCALL,
641 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
642 1,
643 {{"res", PT_ERRNO, PF_DEC}}},
644 [PPME_SYSCALL_UNLINK_E] = {"unlink",
645 EC_FILE | EC_SYSCALL,
646 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
647 1,
648 {{"path", PT_FSPATH, PF_NA}}},
649 [PPME_SYSCALL_UNLINK_X] = {"unlink",
650 EC_FILE | EC_SYSCALL,
651 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
652 1,
653 {{"res", PT_ERRNO, PF_DEC}}},
654 [PPME_SYSCALL_UNLINKAT_E] = {"unlinkat",
655 EC_FILE | EC_SYSCALL,
656 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
657 2,
658 {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA}}},
659 [PPME_SYSCALL_UNLINKAT_X] = {"unlinkat",
660 EC_FILE | EC_SYSCALL,
661 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
662 1,
663 {{"res", PT_ERRNO, PF_DEC}}},
664 [PPME_SYSCALL_PREAD_E] =
665 {"pread",
666 EC_IO_READ | EC_SYSCALL,
667 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
668 3,
669 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
670 [PPME_SYSCALL_PREAD_X] = {"pread",
671 EC_IO_READ | EC_SYSCALL,
672 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
673 5,
674 {{"res", PT_ERRNO, PF_DEC},
675 {"data", PT_BYTEBUF, PF_NA},
676 {"fd", PT_FD, PF_DEC},
677 {"size", PT_UINT32, PF_DEC},
678 {"pos", PT_UINT64, PF_DEC}}},
679 [PPME_SYSCALL_PWRITE_E] =
680 {"pwrite",
681 EC_IO_WRITE | EC_SYSCALL,
682 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
683 3,
684 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
685 [PPME_SYSCALL_PWRITE_X] = {"pwrite",
686 EC_IO_WRITE | EC_SYSCALL,
687 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
688 5,
689 {{"res", PT_ERRNO, PF_DEC},
690 {"data", PT_BYTEBUF, PF_NA},
691 {"fd", PT_FD, PF_DEC},
692 {"size", PT_UINT32, PF_DEC},
693 {"pos", PT_UINT64, PF_DEC}}},
694 [PPME_SYSCALL_READV_E] = {"readv",
695 EC_IO_READ | EC_SYSCALL,
696 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
697 EF_CONVERTER_MANAGED,
698 1,
699 {{"fd", PT_FD, PF_DEC}}},
700 [PPME_SYSCALL_READV_X] = {"readv",
701 EC_IO_READ | EC_SYSCALL,
702 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
703 4,
704 {{"res", PT_ERRNO, PF_DEC},
705 {"size", PT_UINT32, PF_DEC},
706 {"data", PT_BYTEBUF, PF_NA},
707 {"fd", PT_FD, PF_DEC}}},
708 [PPME_SYSCALL_WRITEV_E] = {"writev",
709 EC_IO_WRITE | EC_SYSCALL,
710 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
711 EF_CONVERTER_MANAGED,
712 2,
713 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
714 [PPME_SYSCALL_WRITEV_X] = {"writev",
715 EC_IO_WRITE | EC_SYSCALL,
716 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
717 4,
718 {{"res", PT_ERRNO, PF_DEC},
719 {"data", PT_BYTEBUF, PF_NA},
720 {"fd", PT_FD, PF_DEC},
721 {"size", PT_UINT32, PF_DEC}}},
722 [PPME_SYSCALL_PREADV_E] = {"preadv",
723 EC_IO_READ | EC_SYSCALL,
724 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
725 EF_CONVERTER_MANAGED,
726 2,
727 {{"fd", PT_FD, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
728 [PPME_SYSCALL_PREADV_X] = {"preadv",
729 EC_IO_READ | EC_SYSCALL,
730 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
731 5,
732 {{"res", PT_ERRNO, PF_DEC},
733 {"size", PT_UINT32, PF_DEC},
734 {"data", PT_BYTEBUF, PF_NA},
735 {"fd", PT_FD, PF_DEC},
736 {"pos", PT_UINT64, PF_DEC}}},
737 [PPME_SYSCALL_PWRITEV_E] =
738 {"pwritev",
739 EC_IO_WRITE | EC_SYSCALL,
740 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
741 3,
742 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
743 [PPME_SYSCALL_PWRITEV_X] = {"pwritev",
744 EC_IO_WRITE | EC_SYSCALL,
745 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
746 5,
747 {{"res", PT_ERRNO, PF_DEC},
748 {"data", PT_BYTEBUF, PF_NA},
749 {"fd", PT_FD, PF_DEC},
750 {"size", PT_UINT32, PF_DEC},
751 {"pos", PT_UINT64, PF_DEC}}},
752 [PPME_SYSCALL_DUP_E] = {"dup",
753 EC_IO_OTHER | EC_SYSCALL,
754 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE |
755 EF_CONVERTER_MANAGED,
756 1,
757 {{"fd", PT_FD, PF_DEC}}},
758 [PPME_SYSCALL_DUP_X] = {"dup",
759 EC_IO_OTHER | EC_SYSCALL,
760 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE |
761 EF_CONVERTER_MANAGED,
762 1,
763 {{"res", PT_FD, PF_DEC}}},
764 [PPME_SYSCALL_SIGNALFD_E] =
765 {"signalfd",
766 EC_SIGNAL | EC_SYSCALL,
767 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
768 3,
769 {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}, {"flags", PT_UINT8, PF_HEX}}},
770 [PPME_SYSCALL_SIGNALFD_X] = {"signalfd",
771 EC_SIGNAL | EC_SYSCALL,
772 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
773 4,
774 {{"res", PT_FD, PF_DEC},
775 {"fd", PT_FD, PF_DEC},
776 {"mask", PT_UINT32, PF_HEX},
777 {"flags", PT_UINT8, PF_HEX}}},
778 [PPME_SYSCALL_KILL_E] = {"kill",
779 EC_SIGNAL | EC_SYSCALL,
780 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
781 2,
782 {{"pid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}}},
783 [PPME_SYSCALL_KILL_X] = {"kill",
784 EC_SIGNAL | EC_SYSCALL,
785 EF_CONVERTER_MANAGED,
786 3,
787 {{"res", PT_ERRNO, PF_DEC},
788 {"pid", PT_PID, PF_DEC},
789 {"sig", PT_SIGTYPE, PF_DEC}}},
790 [PPME_SYSCALL_TKILL_E] = {"tkill",
791 EC_SIGNAL | EC_SYSCALL,
792 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
793 2,
794 {{"tid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}}},
795 [PPME_SYSCALL_TKILL_X] = {"tkill",
796 EC_SIGNAL | EC_SYSCALL,
797 EF_CONVERTER_MANAGED,
798 3,
799 {{"res", PT_ERRNO, PF_DEC},
800 {"tid", PT_PID, PF_DEC},
801 {"sig", PT_SIGTYPE, PF_DEC}}},
802 [PPME_SYSCALL_TGKILL_E] = {"tgkill",
803 EC_SIGNAL | EC_SYSCALL,
804 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
805 3,
806 {{"pid", PT_PID, PF_DEC},
807 {"tid", PT_PID, PF_DEC},
808 {"sig", PT_SIGTYPE, PF_DEC}}},
809 [PPME_SYSCALL_TGKILL_X] = {"tgkill",
810 EC_SIGNAL | EC_SYSCALL,
811 EF_CONVERTER_MANAGED,
812 4,
813 {{"res", PT_ERRNO, PF_DEC},
814 {"pid", PT_PID, PF_DEC},
815 {"tid", PT_PID, PF_DEC},
816 {"sig", PT_SIGTYPE, PF_DEC}}},
817 [PPME_SYSCALL_NANOSLEEP_E] = {"nanosleep",
818 EC_SLEEP | EC_SYSCALL,
819 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
820 1,
821 {{"interval", PT_RELTIME, PF_DEC}}},
822 [PPME_SYSCALL_NANOSLEEP_X] = {"nanosleep",
823 EC_SLEEP | EC_SYSCALL,
824 EF_WAITS | EF_CONVERTER_MANAGED,
825 2,
826 {{"res", PT_ERRNO, PF_DEC},
827 {"interval", PT_RELTIME, PF_DEC}}},
828 [PPME_SYSCALL_TIMERFD_CREATE_E] = {"timerfd_create",
829 EC_TIME | EC_SYSCALL,
830 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
831 EF_CONVERTER_MANAGED,
832 2,
833 {{"clockid", PT_UINT8, PF_DEC},
834 {"flags", PT_UINT8, PF_HEX}}},
835 [PPME_SYSCALL_TIMERFD_CREATE_X] = {"timerfd_create",
836 EC_TIME | EC_SYSCALL,
837 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
838 3,
839 {{"res", PT_FD, PF_DEC},
840 {"clockid", PT_UINT8, PF_DEC},
841 {"flags", PT_UINT8, PF_HEX}}},
842 [PPME_SYSCALL_INOTIFY_INIT_E] = {"inotify_init",
843 EC_IPC | EC_SYSCALL,
844 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
845 EF_CONVERTER_MANAGED,
846 1,
847 {{"flags", PT_UINT8, PF_HEX}}},
848 [PPME_SYSCALL_INOTIFY_INIT_X] = {"inotify_init",
849 EC_IPC | EC_SYSCALL,
850 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
851 2,
852 {{"res", PT_FD, PF_DEC}, {"flags", PT_UINT8, PF_HEX}}},
853 [PPME_SYSCALL_GETRLIMIT_E] = {"getrlimit",
854 EC_PROCESS | EC_SYSCALL,
855 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
856 1,
857 {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
858 [PPME_SYSCALL_GETRLIMIT_X] = {"getrlimit",
859 EC_PROCESS | EC_SYSCALL,
860 EF_CONVERTER_MANAGED,
861 4,
862 {{"res", PT_ERRNO, PF_DEC},
863 {"cur", PT_INT64, PF_DEC},
864 {"max", PT_INT64, PF_DEC},
865 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
866 [PPME_SYSCALL_SETRLIMIT_E] = {"setrlimit",
867 EC_PROCESS | EC_SYSCALL,
868 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
869 1,
870 {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
871 [PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit",
872 EC_PROCESS | EC_SYSCALL,
873 EF_CONVERTER_MANAGED,
874 4,
875 {{"res", PT_ERRNO, PF_DEC},
876 {"cur", PT_INT64, PF_DEC},
877 {"max", PT_INT64, PF_DEC},
878 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
879 [PPME_SYSCALL_PRLIMIT_E] = {"prlimit",
880 EC_PROCESS | EC_SYSCALL,
881 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
882 2,
883 {{"pid", PT_PID, PF_DEC},
884 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
885 [PPME_SYSCALL_PRLIMIT_X] = {"prlimit",
886 EC_PROCESS | EC_SYSCALL,
887 EF_CONVERTER_MANAGED,
888 7,
889 {{"res", PT_ERRNO, PF_DEC},
890 {"newcur", PT_INT64, PF_DEC},
891 {"newmax", PT_INT64, PF_DEC},
892 {"oldcur", PT_INT64, PF_DEC},
893 {"oldmax", PT_INT64, PF_DEC},
894 {"pid", PT_INT64, PF_DEC},
895 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
896 [PPME_SCHEDSWITCH_1_E] = {"switch",
897 EC_SCHEDULER | EC_TRACEPOINT,
898 EF_OLD_VERSION | EF_SKIPPARSERESET | EF_CONVERTER_MANAGED,
899 1,
900 {{"next", PT_PID, PF_DEC}}},
901 [PPME_SCHEDSWITCH_1_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
902 [PPME_DROP_E] = {"drop",
903 EC_INTERNAL | EC_METAEVENT,
904 EF_SKIPPARSERESET,
905 1,
906 {{"ratio", PT_UINT32, PF_DEC}}},
907 [PPME_DROP_X] = {"drop",
908 EC_INTERNAL | EC_METAEVENT,
909 EF_SKIPPARSERESET,
910 1,
911 {{"ratio", PT_UINT32, PF_DEC}}},
912 [PPME_SYSCALL_FCNTL_E] = {"fcntl",
913 EC_IO_OTHER | EC_SYSCALL,
914 EF_OLD_VERSION | EF_USES_FD | EF_MODIFIES_STATE |
915 EF_CONVERTER_MANAGED,
916 2,
917 {{"fd", PT_FD, PF_DEC},
918 {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands}}},
919 [PPME_SYSCALL_FCNTL_X] = {"fcntl",
920 EC_IO_OTHER | EC_SYSCALL,
921 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
922 4,
923 {{"res", PT_FD, PF_DEC},
924 {"fd", PT_FD, PF_DEC},
925 {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands},
926 {"arg", PT_UINT64, PF_HEX}}},
927 [PPME_SCHEDSWITCH_6_E] =
928 {"switch",
929 EC_SCHEDULER | EC_TRACEPOINT,
930 EF_NONE,
931 6,
932 {{"next", PT_PID, PF_DEC},
933 {"pgft_maj", PT_UINT64, PF_DEC},
934 {"pgft_min", PT_UINT64, PF_DEC},
935 {"vm_size", PT_UINT32, PF_DEC},
936 {"vm_rss", PT_UINT32, PF_DEC},
937 {"vm_swap", PT_UINT32, PF_DEC}}},
938 [PPME_SCHEDSWITCH_6_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
939 [PPME_SYSCALL_EXECVE_13_E] = {"execve",
940 EC_PROCESS | EC_SYSCALL,
941 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
942 0},
943 [PPME_SYSCALL_EXECVE_13_X] = {"execve",
944 EC_PROCESS | EC_SYSCALL,
945 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
946 13,
947 {{"res", PT_ERRNO, PF_DEC},
948 {"exe", PT_CHARBUF, PF_NA},
949 {"args", PT_BYTEBUF, PF_NA},
950 {"tid", PT_PID, PF_DEC},
951 {"pid", PT_PID, PF_DEC},
952 {"ptid", PT_PID, PF_DEC},
953 {"cwd", PT_CHARBUF, PF_NA},
954 {"fdlimit", PT_UINT64, PF_DEC},
955 {"pgft_maj", PT_UINT64, PF_DEC},
956 {"pgft_min", PT_UINT64, PF_DEC},
957 {"vm_size", PT_UINT32, PF_DEC},
958 {"vm_rss", PT_UINT32, PF_DEC},
959 {"vm_swap", PT_UINT32, PF_DEC}}},
960 [PPME_SYSCALL_CLONE_16_E] = {"clone",
961 EC_PROCESS | EC_SYSCALL,
962 EF_OLD_VERSION | EF_MODIFIES_STATE,
963 0},
964 [PPME_SYSCALL_CLONE_16_X] = {"clone",
965 EC_PROCESS | EC_SYSCALL,
966 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
967 16,
968 {{"res", PT_PID, PF_DEC},
969 {"exe", PT_CHARBUF, PF_NA},
970 {"args", PT_BYTEBUF, PF_NA},
971 {"tid", PT_PID, PF_DEC},
972 {"pid", PT_PID, PF_DEC},
973 {"ptid", PT_PID, PF_DEC},
974 {"cwd", PT_CHARBUF, PF_NA},
975 {"fdlimit", PT_INT64, PF_DEC},
976 {"pgft_maj", PT_UINT64, PF_DEC},
977 {"pgft_min", PT_UINT64, PF_DEC},
978 {"vm_size", PT_UINT32, PF_DEC},
979 {"vm_rss", PT_UINT32, PF_DEC},
980 {"vm_swap", PT_UINT32, PF_DEC},
981 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
982 {"uid", PT_UINT32, PF_DEC},
983 {"gid", PT_UINT32, PF_DEC}}},
984 [PPME_SYSCALL_BRK_4_E] = {"brk",
985 EC_MEMORY | EC_SYSCALL,
986 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
987 1,
988 {{"addr", PT_UINT64, PF_HEX}}},
989 [PPME_SYSCALL_BRK_4_X] = {"brk",
990 EC_MEMORY | EC_SYSCALL,
991 EF_CONVERTER_MANAGED,
992 5,
993 {{"res", PT_UINT64, PF_HEX},
994 {"vm_size", PT_UINT32, PF_DEC},
995 {"vm_rss", PT_UINT32, PF_DEC},
996 {"vm_swap", PT_UINT32, PF_DEC},
997 {"addr", PT_UINT64, PF_HEX}}},
998 [PPME_SYSCALL_MMAP_E] = {"mmap",
999 EC_MEMORY | EC_SYSCALL,
1000 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1001 6,
1002 {{"addr", PT_UINT64, PF_HEX},
1003 {"length", PT_UINT64, PF_DEC},
1004 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
1005 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
1006 {"fd", PT_FD, PF_DEC},
1007 {"offset", PT_UINT64, PF_DEC}}},
1008 [PPME_SYSCALL_MMAP_X] = {"mmap",
1009 EC_MEMORY | EC_SYSCALL,
1010 EF_USES_FD | EF_CONVERTER_MANAGED,
1011 10,
1012 {{"res", PT_ERRNO, PF_HEX},
1013 {"vm_size", PT_UINT32, PF_DEC},
1014 {"vm_rss", PT_UINT32, PF_DEC},
1015 {"vm_swap", PT_UINT32, PF_DEC},
1016 {"addr", PT_UINT64, PF_HEX},
1017 {"length", PT_UINT64, PF_DEC},
1018 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
1019 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
1020 {"fd", PT_FD, PF_DEC},
1021 {"offset", PT_UINT64, PF_DEC}}},
1022 [PPME_SYSCALL_MMAP2_E] = {"mmap2",
1023 EC_MEMORY | EC_SYSCALL,
1024 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1025 6,
1026 {{"addr", PT_UINT64, PF_HEX},
1027 {"length", PT_UINT64, PF_DEC},
1028 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
1029 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
1030 {"fd", PT_FD, PF_DEC},
1031 {"pgoffset", PT_UINT64, PF_DEC}}},
1032 [PPME_SYSCALL_MMAP2_X] = {"mmap2",
1033 EC_MEMORY | EC_SYSCALL,
1034 EF_USES_FD | EF_CONVERTER_MANAGED,
1035 10,
1036 {{"res", PT_ERRNO, PF_HEX},
1037 {"vm_size", PT_UINT32, PF_DEC},
1038 {"vm_rss", PT_UINT32, PF_DEC},
1039 {"vm_swap", PT_UINT32, PF_DEC},
1040 {"addr", PT_UINT64, PF_HEX},
1041 {"length", PT_UINT64, PF_DEC},
1042 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
1043 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
1044 {"fd", PT_FD, PF_DEC},
1045 {"pgoffset", PT_UINT64, PF_DEC}}},
1046 [PPME_SYSCALL_MUNMAP_E] = {"munmap",
1047 EC_MEMORY | EC_SYSCALL,
1048 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1049 2,
1050 {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}}},
1051 [PPME_SYSCALL_MUNMAP_X] = {"munmap",
1052 EC_MEMORY | EC_SYSCALL,
1053 EF_CONVERTER_MANAGED,
1054 6,
1055 {{"res", PT_ERRNO, PF_DEC},
1056 {"vm_size", PT_UINT32, PF_DEC},
1057 {"vm_rss", PT_UINT32, PF_DEC},
1058 {"vm_swap", PT_UINT32, PF_DEC},
1059 {"addr", PT_UINT64, PF_HEX},
1060 {"length", PT_UINT64, PF_DEC}}},
1061 [PPME_SYSCALL_SPLICE_E] = {"splice",
1062 EC_IO_OTHER | EC_SYSCALL,
1063 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1064 4,
1065 {{"fd_in", PT_FD, PF_DEC},
1066 {"fd_out", PT_FD, PF_DEC},
1067 {"size", PT_UINT64, PF_DEC},
1068 {"flags", PT_FLAGS32, PF_HEX, splice_flags}}},
1069 [PPME_SYSCALL_SPLICE_X] = {"splice",
1070 EC_IO_OTHER | EC_SYSCALL,
1071 EF_USES_FD | EF_CONVERTER_MANAGED,
1072 5,
1073 {{"res", PT_ERRNO, PF_DEC},
1074 {"fd_in", PT_FD, PF_DEC},
1075 {"fd_out", PT_FD, PF_DEC},
1076 {"size", PT_UINT64, PF_DEC},
1077 {"flags", PT_FLAGS32, PF_HEX, splice_flags}}},
1078 [PPME_SYSCALL_PTRACE_E] = {"ptrace",
1079 EC_PROCESS | EC_SYSCALL,
1080 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1081 2,
1082 {{"request", PT_ENUMFLAGS16, PF_DEC, ptrace_requests},
1083 {"pid", PT_PID, PF_DEC}}},
1084 [PPME_SYSCALL_PTRACE_X] =
1085 {"ptrace",
1086 EC_PROCESS | EC_SYSCALL,
1087 EF_CONVERTER_MANAGED,
1088 5,
1089 {{"res", PT_ERRNO, PF_DEC},
1090 {"addr", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX},
1091 {"data", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX},
1092 {"request", PT_ENUMFLAGS16, PF_DEC, ptrace_requests},
1093 {"pid", PT_PID, PF_DEC}}},
1094 [PPME_SYSCALL_IOCTL_3_E] = {"ioctl",
1095 EC_IO_OTHER | EC_SYSCALL,
1096 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1097 3,
1098 {{"fd", PT_FD, PF_DEC},
1099 {"request", PT_UINT64, PF_HEX},
1100 {"argument", PT_UINT64, PF_HEX}}},
1101 [PPME_SYSCALL_IOCTL_3_X] = {"ioctl",
1102 EC_IO_OTHER | EC_SYSCALL,
1103 EF_USES_FD | EF_CONVERTER_MANAGED,
1104 4,
1105 {{"res", PT_ERRNO, PF_DEC},
1106 {"fd", PT_FD, PF_DEC},
1107 {"request", PT_UINT64, PF_HEX},
1108 {"argument", PT_UINT64, PF_HEX}}},
1109 [PPME_SYSCALL_EXECVE_14_E] = {"execve",
1110 EC_PROCESS | EC_SYSCALL,
1111 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1112 0},
1113 [PPME_SYSCALL_EXECVE_14_X] = {"execve",
1114 EC_PROCESS | EC_SYSCALL,
1115 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1116 14,
1117 {{"res", PT_ERRNO, PF_DEC},
1118 {"exe", PT_CHARBUF, PF_NA},
1119 {"args", PT_BYTEBUF, PF_NA},
1120 {"tid", PT_PID, PF_DEC},
1121 {"pid", PT_PID, PF_DEC},
1122 {"ptid", PT_PID, PF_DEC},
1123 {"cwd", PT_CHARBUF, PF_NA},
1124 {"fdlimit", PT_UINT64, PF_DEC},
1125 {"pgft_maj", PT_UINT64, PF_DEC},
1126 {"pgft_min", PT_UINT64, PF_DEC},
1127 {"vm_size", PT_UINT32, PF_DEC},
1128 {"vm_rss", PT_UINT32, PF_DEC},
1129 {"vm_swap", PT_UINT32, PF_DEC},
1130 {"env", PT_BYTEBUF, PF_NA}}},
1131 [PPME_SYSCALL_RENAME_E] = {"rename", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1132 [PPME_SYSCALL_RENAME_X] = {"rename",
1133 EC_FILE | EC_SYSCALL,
1134 EF_NONE,
1135 3,
1136 {{"res", PT_ERRNO, PF_DEC},
1137 {"oldpath", PT_FSPATH, PF_NA},
1138 {"newpath", PT_FSPATH, PF_NA}}},
1139 [PPME_SYSCALL_RENAMEAT_E] = {"renameat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1140 [PPME_SYSCALL_RENAMEAT_X] = {"renameat",
1141 EC_FILE | EC_SYSCALL,
1142 EF_NONE,
1143 5,
1144 {{"res", PT_ERRNO, PF_DEC},
1145 {"olddirfd", PT_FD, PF_DEC},
1146 {"oldpath", PT_FSRELPATH, PF_NA, 1},
1147 {"newdirfd", PT_FD, PF_DEC},
1148 {"newpath", PT_FSRELPATH, PF_NA, 3}}},
1149 [PPME_SYSCALL_SYMLINK_E] = {"symlink", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1150 [PPME_SYSCALL_SYMLINK_X] = {"symlink",
1151 EC_FILE | EC_SYSCALL,
1152 EF_NONE,
1153 3,
1154 {{"res", PT_ERRNO, PF_DEC},
1155 {"target", PT_CHARBUF, PF_NA},
1156 {"linkpath", PT_FSPATH, PF_NA}}},
1157 [PPME_SYSCALL_SYMLINKAT_E] = {"symlinkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1158 [PPME_SYSCALL_SYMLINKAT_X] = {"symlinkat",
1159 EC_FILE | EC_SYSCALL,
1160 EF_USES_FD,
1161 4,
1162 {{"res", PT_ERRNO, PF_DEC},
1163 {"target", PT_CHARBUF, PF_NA},
1164 {"linkdirfd", PT_FD, PF_DEC},
1165 {"linkpath", PT_FSRELPATH, PF_NA, 2}}},
1166 [PPME_SYSCALL_FORK_E] = {"fork",
1167 EC_PROCESS | EC_SYSCALL,
1168 EF_OLD_VERSION | EF_MODIFIES_STATE,
1169 0},
1170 [PPME_SYSCALL_FORK_X] = {"fork",
1171 EC_PROCESS | EC_SYSCALL,
1172 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1173 16,
1174 {{"res", PT_PID, PF_DEC},
1175 {"exe", PT_CHARBUF, PF_NA},
1176 {"args", PT_BYTEBUF, PF_NA},
1177 {"tid", PT_PID, PF_DEC},
1178 {"pid", PT_PID, PF_DEC},
1179 {"ptid", PT_PID, PF_DEC},
1180 {"cwd", PT_CHARBUF, PF_NA},
1181 {"fdlimit", PT_INT64, PF_DEC},
1182 {"pgft_maj", PT_UINT64, PF_DEC},
1183 {"pgft_min", PT_UINT64, PF_DEC},
1184 {"vm_size", PT_UINT32, PF_DEC},
1185 {"vm_rss", PT_UINT32, PF_DEC},
1186 {"vm_swap", PT_UINT32, PF_DEC},
1187 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1188 {"uid", PT_UINT32, PF_DEC},
1189 {"gid", PT_UINT32, PF_DEC}}},
1190 [PPME_SYSCALL_VFORK_E] = {"vfork",
1191 EC_PROCESS | EC_SYSCALL,
1192 EF_OLD_VERSION | EF_MODIFIES_STATE,
1193 0},
1194 [PPME_SYSCALL_VFORK_X] = {"vfork",
1195 EC_PROCESS | EC_SYSCALL,
1196 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1197 16,
1198 {{"res", PT_PID, PF_DEC},
1199 {"exe", PT_CHARBUF, PF_NA},
1200 {"args", PT_BYTEBUF, PF_NA},
1201 {"tid", PT_PID, PF_DEC},
1202 {"pid", PT_PID, PF_DEC},
1203 {"ptid", PT_PID, PF_DEC},
1204 {"cwd", PT_CHARBUF, PF_NA},
1205 {"fdlimit", PT_INT64, PF_DEC},
1206 {"pgft_maj", PT_UINT64, PF_DEC},
1207 {"pgft_min", PT_UINT64, PF_DEC},
1208 {"vm_size", PT_UINT32, PF_DEC},
1209 {"vm_rss", PT_UINT32, PF_DEC},
1210 {"vm_swap", PT_UINT32, PF_DEC},
1211 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1212 {"uid", PT_UINT32, PF_DEC},
1213 {"gid", PT_UINT32, PF_DEC}}},
1214 [PPME_PROCEXIT_1_E] = {"procexit",
1215 EC_PROCESS | EC_TRACEPOINT,
1216 EF_MODIFIES_STATE,
1217 5,
1218 {{"status", PT_ERRNO, PF_DEC},
1219 {"ret", PT_ERRNO, PF_DEC},
1220 {"sig", PT_SIGTYPE, PF_DEC},
1221 {"core", PT_UINT8, PF_DEC},
1222 {"reaper_tid", PT_PID, PF_DEC}}},
1223 [PPME_PROCEXIT_1_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1224 [PPME_SYSCALL_SENDFILE_E] = {"sendfile",
1225 EC_IO_WRITE | EC_SYSCALL,
1226 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1227 4,
1228 {{"out_fd", PT_FD, PF_DEC},
1229 {"in_fd", PT_FD, PF_DEC},
1230 {"offset", PT_UINT64, PF_DEC},
1231 {"size", PT_UINT64, PF_DEC}}},
1232 [PPME_SYSCALL_SENDFILE_X] = {"sendfile",
1233 EC_IO_WRITE | EC_SYSCALL,
1234 EF_USES_FD | EF_CONVERTER_MANAGED,
1235 5,
1236 {{"res", PT_ERRNO, PF_DEC},
1237 {"offset", PT_UINT64, PF_DEC},
1238 {"out_fd", PT_FD, PF_DEC},
1239 {"in_fd", PT_FD, PF_DEC},
1240 {"size", PT_UINT64, PF_DEC}}},
1241 [PPME_SYSCALL_QUOTACTL_E] = {"quotactl",
1242 EC_USER | EC_SYSCALL,
1243 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1244 4,
1245 {{"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds},
1246 {"type", PT_FLAGS8, PF_DEC, quotactl_types},
1247 {"id", PT_UINT32, PF_DEC},
1248 {"quota_fmt", PT_FLAGS8, PF_DEC, quotactl_quota_fmts}}},
1249 [PPME_SYSCALL_QUOTACTL_X] = {"quotactl",
1250 EC_USER | EC_SYSCALL,
1251 EF_CONVERTER_MANAGED,
1252 18,
1253 {{"res", PT_ERRNO, PF_DEC},
1254 {"special", PT_CHARBUF, PF_NA},
1255 {"quotafilepath", PT_CHARBUF, PF_NA},
1256 {"dqb_bhardlimit", PT_UINT64, PF_DEC},
1257 {"dqb_bsoftlimit", PT_UINT64, PF_DEC},
1258 {"dqb_curspace", PT_UINT64, PF_DEC},
1259 {"dqb_ihardlimit", PT_UINT64, PF_DEC},
1260 {"dqb_isoftlimit", PT_UINT64, PF_DEC},
1261 {"dqb_btime", PT_RELTIME, PF_DEC},
1262 {"dqb_itime", PT_RELTIME, PF_DEC},
1263 {"dqi_bgrace", PT_RELTIME, PF_DEC},
1264 {"dqi_igrace", PT_RELTIME, PF_DEC},
1265 {"dqi_flags", PT_FLAGS8, PF_DEC, quotactl_dqi_flags},
1266 {"quota_fmt_out", PT_FLAGS8, PF_DEC, quotactl_quota_fmts},
1267 {"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds},
1268 {"type", PT_FLAGS8, PF_DEC, quotactl_types},
1269 {"id", PT_UINT32, PF_DEC},
1270 {"quota_fmt", PT_FLAGS8, PF_DEC, quotactl_quota_fmts}}},
1271 [PPME_SYSCALL_SETRESUID_E] = {"setresuid",
1272 EC_USER | EC_SYSCALL,
1273 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1274 3,
1275 {{"ruid", PT_UID, PF_DEC},
1276 {"euid", PT_UID, PF_DEC},
1277 {"suid", PT_UID, PF_DEC}}},
1278 [PPME_SYSCALL_SETRESUID_X] = {"setresuid",
1279 EC_USER | EC_SYSCALL,
1280 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1281 4,
1282 {{"res", PT_ERRNO, PF_DEC},
1283 {"ruid", PT_UID, PF_DEC},
1284 {"euid", PT_UID, PF_DEC},
1285 {"suid", PT_UID, PF_DEC}}},
1286 [PPME_SYSCALL_SETRESGID_E] = {"setresgid",
1287 EC_USER | EC_SYSCALL,
1288 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1289 3,
1290 {{"rgid", PT_GID, PF_DEC},
1291 {"egid", PT_GID, PF_DEC},
1292 {"sgid", PT_GID, PF_DEC}}},
1293 [PPME_SYSCALL_SETRESGID_X] = {"setresgid",
1294 EC_USER | EC_SYSCALL,
1295 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1296 4,
1297 {{"res", PT_ERRNO, PF_DEC},
1298 {"rgid", PT_GID, PF_DEC},
1299 {"egid", PT_GID, PF_DEC},
1300 {"sgid", PT_GID, PF_DEC}}},
1301 [PPME_SCAPEVENT_E] = {"scapevent",
1302 EC_INTERNAL | EC_METAEVENT,
1303 EF_SKIPPARSERESET,
1304 2,
1305 {{"event_type", PT_UINT32, PF_DEC},
1306 {"event_data", PT_UINT64, PF_DEC}}},
1307 [PPME_SCAPEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1308 [PPME_SYSCALL_CLOSE_RANGE_E] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1309 [PPME_SYSCALL_CLOSE_RANGE_X] = {"close_range",
1310 EC_IO_OTHER | EC_SYSCALL,
1311 EF_MODIFIES_STATE,
1312 4,
1313 {{"res", PT_ERRNO, PF_DEC},
1314 {"first", PT_UINT32, PF_DEC},
1315 {"last", PT_UINT32, PF_DEC},
1316 {"flags", PT_FLAGS32, PF_HEX, close_range_flags}}},
1317 [PPME_SYSCALL_SETUID_E] = {"setuid",
1318 EC_USER | EC_SYSCALL,
1319 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1320 1,
1321 {{"uid", PT_UID, PF_DEC}}},
1322 [PPME_SYSCALL_SETUID_X] = {"setuid",
1323 EC_USER | EC_SYSCALL,
1324 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1325 2,
1326 {{"res", PT_ERRNO, PF_DEC}, {"uid", PT_UID, PF_DEC}}},
1327 [PPME_SYSCALL_SETGID_E] = {"setgid",
1328 EC_USER | EC_SYSCALL,
1329 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1330 1,
1331 {{"gid", PT_GID, PF_DEC}}},
1332 [PPME_SYSCALL_SETGID_X] = {"setgid",
1333 EC_USER | EC_SYSCALL,
1334 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1335 2,
1336 {{"res", PT_ERRNO, PF_DEC}, {"gid", PT_GID, PF_DEC}}},
1337 [PPME_SYSCALL_GETUID_E] = {"getuid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1338 [PPME_SYSCALL_GETUID_X] =
1339 {"getuid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"uid", PT_UID, PF_DEC}}},
1340 [PPME_SYSCALL_GETEUID_E] = {"geteuid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1341 [PPME_SYSCALL_GETEUID_X] =
1342 {"geteuid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"euid", PT_UID, PF_DEC}}},
1343 [PPME_SYSCALL_GETGID_E] = {"getgid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1344 [PPME_SYSCALL_GETGID_X] =
1345 {"getgid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"gid", PT_GID, PF_DEC}}},
1346 [PPME_SYSCALL_GETEGID_E] = {"getegid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1347 [PPME_SYSCALL_GETEGID_X] =
1348 {"getegid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"egid", PT_GID, PF_DEC}}},
1349 [PPME_SYSCALL_GETRESUID_E] = {"getresuid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1350 [PPME_SYSCALL_GETRESUID_X] = {"getresuid",
1351 EC_USER | EC_SYSCALL,
1352 EF_NONE,
1353 4,
1354 {{"res", PT_ERRNO, PF_DEC},
1355 {"ruid", PT_UID, PF_DEC},
1356 {"euid", PT_UID, PF_DEC},
1357 {"suid", PT_UID, PF_DEC}}},
1358 [PPME_SYSCALL_GETRESGID_E] = {"getresgid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1359 [PPME_SYSCALL_GETRESGID_X] = {"getresgid",
1360 EC_USER | EC_SYSCALL,
1361 EF_NONE,
1362 4,
1363 {{"res", PT_ERRNO, PF_DEC},
1364 {"rgid", PT_GID, PF_DEC},
1365 {"egid", PT_GID, PF_DEC},
1366 {"sgid", PT_GID, PF_DEC}}},
1367 [PPME_SYSCALL_EXECVE_15_E] = {"execve",
1368 EC_PROCESS | EC_SYSCALL,
1369 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1370 0},
1371 [PPME_SYSCALL_EXECVE_15_X] = {"execve",
1372 EC_PROCESS | EC_SYSCALL,
1373 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1374 15,
1375 {{"res", PT_ERRNO, PF_DEC},
1376 {"exe", PT_CHARBUF, PF_NA},
1377 {"args", PT_BYTEBUF, PF_NA},
1378 {"tid", PT_PID, PF_DEC},
1379 {"pid", PT_PID, PF_DEC},
1380 {"ptid", PT_PID, PF_DEC},
1381 {"cwd", PT_CHARBUF, PF_NA},
1382 {"fdlimit", PT_UINT64, PF_DEC},
1383 {"pgft_maj", PT_UINT64, PF_DEC},
1384 {"pgft_min", PT_UINT64, PF_DEC},
1385 {"vm_size", PT_UINT32, PF_DEC},
1386 {"vm_rss", PT_UINT32, PF_DEC},
1387 {"vm_swap", PT_UINT32, PF_DEC},
1388 {"comm", PT_CHARBUF, PF_NA},
1389 {"env", PT_BYTEBUF, PF_NA}}},
1390 [PPME_SYSCALL_CLONE_17_E] = {"clone",
1391 EC_PROCESS | EC_SYSCALL,
1392 EF_OLD_VERSION | EF_MODIFIES_STATE,
1393 0},
1394 [PPME_SYSCALL_CLONE_17_X] = {"clone",
1395 EC_PROCESS | EC_SYSCALL,
1396 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1397 17,
1398 {{"res", PT_PID, PF_DEC},
1399 {"exe", PT_CHARBUF, PF_NA},
1400 {"args", PT_BYTEBUF, PF_NA},
1401 {"tid", PT_PID, PF_DEC},
1402 {"pid", PT_PID, PF_DEC},
1403 {"ptid", PT_PID, PF_DEC},
1404 {"cwd", PT_CHARBUF, PF_NA},
1405 {"fdlimit", PT_INT64, PF_DEC},
1406 {"pgft_maj", PT_UINT64, PF_DEC},
1407 {"pgft_min", PT_UINT64, PF_DEC},
1408 {"vm_size", PT_UINT32, PF_DEC},
1409 {"vm_rss", PT_UINT32, PF_DEC},
1410 {"vm_swap", PT_UINT32, PF_DEC},
1411 {"comm", PT_CHARBUF, PF_NA},
1412 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1413 {"uid", PT_UINT32, PF_DEC},
1414 {"gid", PT_UINT32, PF_DEC}}},
1415 [PPME_SYSCALL_FORK_17_E] = {"fork",
1416 EC_PROCESS | EC_SYSCALL,
1417 EF_OLD_VERSION | EF_MODIFIES_STATE,
1418 0},
1419 [PPME_SYSCALL_FORK_17_X] = {"fork",
1420 EC_PROCESS | EC_SYSCALL,
1421 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1422 17,
1423 {{"res", PT_PID, PF_DEC},
1424 {"exe", PT_CHARBUF, PF_NA},
1425 {"args", PT_BYTEBUF, PF_NA},
1426 {"tid", PT_PID, PF_DEC},
1427 {"pid", PT_PID, PF_DEC},
1428 {"ptid", PT_PID, PF_DEC},
1429 {"cwd", PT_CHARBUF, PF_NA},
1430 {"fdlimit", PT_INT64, PF_DEC},
1431 {"pgft_maj", PT_UINT64, PF_DEC},
1432 {"pgft_min", PT_UINT64, PF_DEC},
1433 {"vm_size", PT_UINT32, PF_DEC},
1434 {"vm_rss", PT_UINT32, PF_DEC},
1435 {"vm_swap", PT_UINT32, PF_DEC},
1436 {"comm", PT_CHARBUF, PF_NA},
1437 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1438 {"uid", PT_UINT32, PF_DEC},
1439 {"gid", PT_UINT32, PF_DEC}}},
1440 [PPME_SYSCALL_VFORK_17_E] = {"vfork",
1441 EC_PROCESS | EC_SYSCALL,
1442 EF_OLD_VERSION | EF_MODIFIES_STATE,
1443 0},
1444 [PPME_SYSCALL_VFORK_17_X] = {"vfork",
1445 EC_PROCESS | EC_SYSCALL,
1446 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1447 17,
1448 {{"res", PT_PID, PF_DEC},
1449 {"exe", PT_CHARBUF, PF_NA},
1450 {"args", PT_BYTEBUF, PF_NA},
1451 {"tid", PT_PID, PF_DEC},
1452 {"pid", PT_PID, PF_DEC},
1453 {"ptid", PT_PID, PF_DEC},
1454 {"cwd", PT_CHARBUF, PF_NA},
1455 {"fdlimit", PT_INT64, PF_DEC},
1456 {"pgft_maj", PT_UINT64, PF_DEC},
1457 {"pgft_min", PT_UINT64, PF_DEC},
1458 {"vm_size", PT_UINT32, PF_DEC},
1459 {"vm_rss", PT_UINT32, PF_DEC},
1460 {"vm_swap", PT_UINT32, PF_DEC},
1461 {"comm", PT_CHARBUF, PF_NA},
1462 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1463 {"uid", PT_UINT32, PF_DEC},
1464 {"gid", PT_UINT32, PF_DEC}}},
1465 [PPME_SYSCALL_CLONE_20_E] = {"clone",
1466 EC_PROCESS | EC_SYSCALL,
1467 EF_OLD_VERSION | EF_MODIFIES_STATE,
1468 0},
1469 [PPME_SYSCALL_CLONE_20_X] = {"clone",
1470 EC_PROCESS | EC_SYSCALL,
1471 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1472 21,
1473 {{"res", PT_PID, PF_DEC},
1474 {"exe", PT_CHARBUF, PF_NA},
1475 {"args", PT_BYTEBUF, PF_NA},
1476 {"tid", PT_PID, PF_DEC},
1477 {"pid", PT_PID, PF_DEC},
1478 {"ptid", PT_PID, PF_DEC},
1479 {"cwd", PT_CHARBUF, PF_NA},
1480 {"fdlimit", PT_INT64, PF_DEC},
1481 {"pgft_maj", PT_UINT64, PF_DEC},
1482 {"pgft_min", PT_UINT64, PF_DEC},
1483 {"vm_size", PT_UINT32, PF_DEC},
1484 {"vm_rss", PT_UINT32, PF_DEC},
1485 {"vm_swap", PT_UINT32, PF_DEC},
1486 {"comm", PT_CHARBUF, PF_NA},
1487 {"cgroups", PT_BYTEBUF, PF_NA},
1488 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1489 {"uid", PT_UINT32, PF_DEC},
1490 {"gid", PT_UINT32, PF_DEC},
1491 {"vtid", PT_PID, PF_DEC},
1492 {"vpid", PT_PID, PF_DEC},
1493 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1494 [PPME_SYSCALL_FORK_20_E] = {"fork",
1495 EC_PROCESS | EC_SYSCALL,
1496 EF_OLD_VERSION | EF_MODIFIES_STATE,
1497 0},
1498 [PPME_SYSCALL_FORK_20_X] = {"fork",
1499 EC_PROCESS | EC_SYSCALL,
1500 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1501 21,
1502 {{"res", PT_PID, PF_DEC},
1503 {"exe", PT_CHARBUF, PF_NA},
1504 {"args", PT_BYTEBUF, PF_NA},
1505 {"tid", PT_PID, PF_DEC},
1506 {"pid", PT_PID, PF_DEC},
1507 {"ptid", PT_PID, PF_DEC},
1508 {"cwd", PT_CHARBUF, PF_NA},
1509 {"fdlimit", PT_INT64, PF_DEC},
1510 {"pgft_maj", PT_UINT64, PF_DEC},
1511 {"pgft_min", PT_UINT64, PF_DEC},
1512 {"vm_size", PT_UINT32, PF_DEC},
1513 {"vm_rss", PT_UINT32, PF_DEC},
1514 {"vm_swap", PT_UINT32, PF_DEC},
1515 {"comm", PT_CHARBUF, PF_NA},
1516 {"cgroups", PT_BYTEBUF, PF_NA},
1517 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1518 {"uid", PT_UINT32, PF_DEC},
1519 {"gid", PT_UINT32, PF_DEC},
1520 {"vtid", PT_PID, PF_DEC},
1521 {"vpid", PT_PID, PF_DEC},
1522 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1523 [PPME_SYSCALL_VFORK_20_E] = {"vfork",
1524 EC_PROCESS | EC_SYSCALL,
1525 EF_OLD_VERSION | EF_MODIFIES_STATE,
1526 0},
1527 [PPME_SYSCALL_VFORK_20_X] = {"vfork",
1528 EC_PROCESS | EC_SYSCALL,
1529 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1530 21,
1531 {{"res", PT_PID, PF_DEC},
1532 {"exe", PT_CHARBUF, PF_NA},
1533 {"args", PT_BYTEBUF, PF_NA},
1534 {"tid", PT_PID, PF_DEC},
1535 {"pid", PT_PID, PF_DEC},
1536 {"ptid", PT_PID, PF_DEC},
1537 {"cwd", PT_CHARBUF, PF_NA},
1538 {"fdlimit", PT_INT64, PF_DEC},
1539 {"pgft_maj", PT_UINT64, PF_DEC},
1540 {"pgft_min", PT_UINT64, PF_DEC},
1541 {"vm_size", PT_UINT32, PF_DEC},
1542 {"vm_rss", PT_UINT32, PF_DEC},
1543 {"vm_swap", PT_UINT32, PF_DEC},
1544 {"comm", PT_CHARBUF, PF_NA},
1545 {"cgroups", PT_BYTEBUF, PF_NA},
1546 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1547 {"uid", PT_UINT32, PF_DEC},
1548 {"gid", PT_UINT32, PF_DEC},
1549 {"vtid", PT_PID, PF_DEC},
1550 {"vpid", PT_PID, PF_DEC},
1551 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1552 [PPME_CONTAINER_E] = {"container",
1553 EC_INTERNAL | EC_METAEVENT,
1554 EF_OLD_VERSION | EF_SKIPPARSERESET | EF_MODIFIES_STATE |
1555 EF_CONVERTER_MANAGED,
1556 4,
1557 {{"id", PT_CHARBUF, PF_NA},
1558 {"type", PT_UINT32, PF_DEC},
1559 {"name", PT_CHARBUF, PF_NA},
1560 {"image", PT_CHARBUF, PF_NA}}},
1561 [PPME_CONTAINER_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1562 [PPME_SYSCALL_EXECVE_16_E] = {"execve",
1563 EC_PROCESS | EC_SYSCALL,
1564 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1565 0},
1566 [PPME_SYSCALL_EXECVE_16_X] = {"execve",
1567 EC_PROCESS | EC_SYSCALL,
1568 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1569 16,
1570 {{"res", PT_ERRNO, PF_DEC},
1571 {"exe", PT_CHARBUF, PF_NA},
1572 {"args", PT_BYTEBUF, PF_NA},
1573 {"tid", PT_PID, PF_DEC},
1574 {"pid", PT_PID, PF_DEC},
1575 {"ptid", PT_PID, PF_DEC},
1576 {"cwd", PT_CHARBUF, PF_NA},
1577 {"fdlimit", PT_UINT64, PF_DEC},
1578 {"pgft_maj", PT_UINT64, PF_DEC},
1579 {"pgft_min", PT_UINT64, PF_DEC},
1580 {"vm_size", PT_UINT32, PF_DEC},
1581 {"vm_rss", PT_UINT32, PF_DEC},
1582 {"vm_swap", PT_UINT32, PF_DEC},
1583 {"comm", PT_CHARBUF, PF_NA},
1584 {"cgroups", PT_BYTEBUF, PF_NA},
1585 {"env", PT_BYTEBUF, PF_NA}}},
1586 [PPME_SIGNALDELIVER_E] = {"signaldeliver",
1587 EC_SIGNAL | EC_TRACEPOINT,
1588 EF_NONE,
1589 3,
1590 {{"spid", PT_PID, PF_DEC},
1591 {"dpid", PT_PID, PF_DEC},
1592 {"sig", PT_SIGTYPE, PF_DEC}}},
1593 [PPME_SIGNALDELIVER_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1594 [PPME_PROCINFO_E] = {"procinfo",
1595 EC_INTERNAL | EC_METAEVENT,
1596 EF_SKIPPARSERESET,
1597 2,
1598 {{"cpu_usr", PT_UINT64, PF_DEC}, {"cpu_sys", PT_UINT64, PF_DEC}}},
1599 [PPME_PROCINFO_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1600 [PPME_SYSCALL_GETDENTS_E] = {"getdents",
1601 EC_FILE | EC_SYSCALL,
1602 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1603 1,
1604 {{"fd", PT_FD, PF_NA}}},
1605 [PPME_SYSCALL_GETDENTS_X] = {"getdents",
1606 EC_FILE | EC_SYSCALL,
1607 EF_USES_FD | EF_CONVERTER_MANAGED,
1608 2,
1609 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_NA}}},
1610 [PPME_SYSCALL_GETDENTS64_E] = {"getdents64",
1611 EC_FILE | EC_SYSCALL,
1612 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1613 1,
1614 {{"fd", PT_FD, PF_NA}}},
1615 [PPME_SYSCALL_GETDENTS64_X] = {"getdents64",
1616 EC_FILE | EC_SYSCALL,
1617 EF_USES_FD | EF_CONVERTER_MANAGED,
1618 2,
1619 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_NA}}},
1620 [PPME_SYSCALL_SETNS_E] = {"setns",
1621 EC_PROCESS | EC_SYSCALL,
1622 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1623 2,
1624 {{"fd", PT_FD, PF_NA},
1625 {"nstype", PT_FLAGS32, PF_HEX, clone_flags}}},
1626 [PPME_SYSCALL_SETNS_X] = {"setns",
1627 EC_PROCESS | EC_SYSCALL,
1628 EF_USES_FD | EF_CONVERTER_MANAGED,
1629 3,
1630 {{"res", PT_ERRNO, PF_DEC},
1631 {"fd", PT_FD, PF_NA},
1632 {"nstype", PT_FLAGS32, PF_HEX, clone_flags}}},
1633 [PPME_SYSCALL_FLOCK_E] = {"flock",
1634 EC_FILE | EC_SYSCALL,
1635 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1636 2,
1637 {{"fd", PT_FD, PF_NA},
1638 {"operation", PT_FLAGS32, PF_HEX, flock_flags}}},
1639 [PPME_SYSCALL_FLOCK_X] = {"flock",
1640 EC_FILE | EC_SYSCALL,
1641 EF_USES_FD | EF_CONVERTER_MANAGED,
1642 3,
1643 {{"res", PT_ERRNO, PF_DEC},
1644 {"fd", PT_FD, PF_NA},
1645 {"operation", PT_FLAGS32, PF_HEX, flock_flags}}},
1646 [PPME_CPU_HOTPLUG_E] = {"cpu_hotplug",
1647 EC_SYSTEM | EC_METAEVENT,
1648 EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1649 2,
1650 {{"cpu", PT_UINT32, PF_DEC}, {"action", PT_UINT32, PF_DEC}}},
1651 [PPME_CPU_HOTPLUG_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1652 [PPME_SOCKET_ACCEPT_5_E] = {"accept",
1653 EC_NET | EC_SYSCALL,
1654 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
1655 0},
1656 [PPME_SOCKET_ACCEPT_5_X] = {"accept",
1657 EC_NET | EC_SYSCALL,
1658 EF_CREATES_FD | EF_MODIFIES_STATE,
1659 5,
1660 {{"fd", PT_FD, PF_DEC},
1661 {"tuple", PT_SOCKTUPLE, PF_NA},
1662 {"queuepct", PT_UINT8, PF_DEC},
1663 {"queuelen", PT_UINT32, PF_DEC},
1664 {"queuemax", PT_UINT32, PF_DEC}}},
1665 [PPME_SOCKET_ACCEPT4_5_E] = {"accept",
1666 EC_NET | EC_SYSCALL,
1667 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
1668 EF_CONVERTER_MANAGED,
1669 1,
1670 {{"flags", PT_INT32, PF_HEX}}},
1671 [PPME_SOCKET_ACCEPT4_5_X] = {"accept",
1672 EC_NET | EC_SYSCALL,
1673 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
1674 EF_CONVERTER_MANAGED,
1675 5,
1676 {{"fd", PT_FD, PF_DEC},
1677 {"tuple", PT_SOCKTUPLE, PF_NA},
1678 {"queuepct", PT_UINT8, PF_DEC},
1679 {"queuelen", PT_UINT32, PF_DEC},
1680 {"queuemax", PT_UINT32, PF_DEC}}},
1681 [PPME_SYSCALL_SEMOP_E] = {"semop",
1682 EC_PROCESS | EC_SYSCALL,
1683 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1684 1,
1685 {{"semid", PT_INT32, PF_DEC}}},
1686 [PPME_SYSCALL_SEMOP_X] = {"semop",
1687 EC_PROCESS | EC_SYSCALL,
1688 EF_CONVERTER_MANAGED,
1689 9,
1690 {{"res", PT_ERRNO, PF_DEC},
1691 {"nsops", PT_UINT32, PF_DEC},
1692 {"sem_num_0", PT_UINT16, PF_DEC},
1693 {"sem_op_0", PT_INT16, PF_DEC},
1694 {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags},
1695 {"sem_num_1", PT_UINT16, PF_DEC},
1696 {"sem_op_1", PT_INT16, PF_DEC},
1697 {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags},
1698 {"semid", PT_INT32, PF_DEC}}},
1699 [PPME_SYSCALL_SEMCTL_E] = {"semctl",
1700 EC_PROCESS | EC_SYSCALL,
1701 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1702 4,
1703 {{"semid", PT_INT32, PF_DEC},
1704 {"semnum", PT_INT32, PF_DEC},
1705 {"cmd", PT_FLAGS16, PF_HEX, semctl_commands},
1706 {"val", PT_INT32, PF_DEC}}},
1707 [PPME_SYSCALL_SEMCTL_X] = {"semctl",
1708 EC_PROCESS | EC_SYSCALL,
1709 EF_CONVERTER_MANAGED,
1710 5,
1711 {{"res", PT_ERRNO, PF_DEC},
1712 {"semid", PT_INT32, PF_DEC},
1713 {"semnum", PT_INT32, PF_DEC},
1714 {"cmd", PT_FLAGS16, PF_HEX, semctl_commands},
1715 {"val", PT_INT32, PF_DEC}}},
1716 [PPME_SYSCALL_PPOLL_E] = {"ppoll",
1717 EC_WAIT | EC_SYSCALL,
1718 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
1719 3,
1720 {{"fds", PT_FDLIST, PF_DEC},
1721 {"timeout", PT_RELTIME, PF_DEC},
1722 {"sigmask", PT_SIGSET, PF_DEC}}},
1723 [PPME_SYSCALL_PPOLL_X] = {"ppoll",
1724 EC_WAIT | EC_SYSCALL,
1725 EF_WAITS | EF_CONVERTER_MANAGED,
1726 4,
1727 {{"res", PT_ERRNO, PF_DEC},
1728 {"fds", PT_FDLIST, PF_DEC},
1729 {"timeout", PT_RELTIME, PF_DEC},
1730 {"sigmask", PT_SIGSET, PF_DEC}}},
1731 [PPME_SYSCALL_MOUNT_E] = {"mount",
1732 EC_FILE | EC_SYSCALL,
1733 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1734 1,
1735 {{"flags", PT_FLAGS32, PF_HEX, mount_flags}}},
1736 [PPME_SYSCALL_MOUNT_X] = {"mount",
1737 EC_FILE | EC_SYSCALL,
1738 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1739 5,
1740 {{"res", PT_ERRNO, PF_DEC},
1741 {"dev", PT_CHARBUF, PF_NA},
1742 {"dir", PT_FSPATH, PF_NA},
1743 {"type", PT_CHARBUF, PF_NA},
1744 {"flags", PT_FLAGS32, PF_HEX, mount_flags}}},
1745 [PPME_SYSCALL_UMOUNT_E] = {"umount",
1746 EC_FILE | EC_SYSCALL,
1747 EF_OLD_VERSION | EF_MODIFIES_STATE,
1748 1,
1749 {{"flags", PT_FLAGS32, PF_HEX, umount_flags}}},
1750 [PPME_SYSCALL_UMOUNT_X] = {"umount",
1751 EC_FILE | EC_SYSCALL,
1752 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1753 2,
1754 {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA}}},
1755 [PPME_K8S_E] = {"k8s",
1756 EC_INTERNAL | EC_METAEVENT,
1757 EF_OLD_VERSION | EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1758 1,
1759 {{"json", PT_CHARBUF, PF_NA}}},
1760 [PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1761 [PPME_SYSCALL_SEMGET_E] = {"semget",
1762 EC_PROCESS | EC_SYSCALL,
1763 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1764 3,
1765 {{"key", PT_INT32, PF_HEX},
1766 {"nsems", PT_INT32, PF_DEC},
1767 {"semflg", PT_FLAGS32, PF_HEX, semget_flags}}},
1768 [PPME_SYSCALL_SEMGET_X] = {"semget",
1769 EC_PROCESS | EC_SYSCALL,
1770 EF_CONVERTER_MANAGED,
1771 4,
1772 {{"res", PT_ERRNO, PF_DEC},
1773 {"key", PT_INT32, PF_HEX},
1774 {"nsems", PT_INT32, PF_DEC},
1775 {"semflg", PT_FLAGS32, PF_HEX, semget_flags}}},
1776 [PPME_SYSCALL_ACCESS_E] = {"access",
1777 EC_FILE | EC_SYSCALL,
1778 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1779 1,
1780 {{"mode", PT_FLAGS32, PF_HEX, access_flags}}},
1781 [PPME_SYSCALL_ACCESS_X] = {"access",
1782 EC_FILE | EC_SYSCALL,
1783 EF_CONVERTER_MANAGED,
1784 3,
1785 {{"res", PT_ERRNO, PF_DEC},
1786 {"name", PT_FSPATH, PF_NA},
1787 {"mode", PT_FLAGS32, PF_HEX, access_flags}}},
1788 [PPME_SYSCALL_CHROOT_E] = {"chroot",
1789 EC_PROCESS | EC_SYSCALL,
1790 EF_OLD_VERSION | EF_MODIFIES_STATE,
1791 0},
1792 [PPME_SYSCALL_CHROOT_X] = {"chroot",
1793 EC_PROCESS | EC_SYSCALL,
1794 EF_MODIFIES_STATE,
1795 2,
1796 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
1797 [PPME_TRACER_E] = {"tracer",
1798 EC_OTHER | EC_METAEVENT,
1799 EF_OLD_VERSION,
1800 3,
1801 {{"id", PT_INT64, PF_DEC},
1802 {"tags", PT_CHARBUFARRAY, PF_NA},
1803 {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA}}},
1804 [PPME_TRACER_X] = {"NA",
1805 EC_UNKNOWN,
1806 EF_UNUSED,
1807 3,
1808 {{"id", PT_INT64, PF_DEC},
1809 {"tags", PT_CHARBUFARRAY, PF_NA},
1810 {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA}}},
1811 [PPME_MESOS_E] = {"mesos",
1812 EC_INTERNAL | EC_METAEVENT,
1813 EF_OLD_VERSION | EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1814 1,
1815 {{"json", PT_CHARBUF, PF_NA}}},
1816 [PPME_MESOS_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1817 [PPME_CONTAINER_JSON_E] =
1818 {"container",
1819 EC_PROCESS | EC_METAEVENT,
1820 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1821 1,
1822 {{"json", PT_CHARBUF, PF_NA}}},
1823 [PPME_CONTAINER_JSON_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1824 [PPME_SYSCALL_SETSID_E] = {"setsid",
1825 EC_PROCESS | EC_SYSCALL,
1826 EF_OLD_VERSION | EF_MODIFIES_STATE,
1827 0},
1828 [PPME_SYSCALL_SETSID_X] = {"setsid",
1829 EC_PROCESS | EC_SYSCALL,
1830 EF_MODIFIES_STATE,
1831 1,
1832 {{"res", PT_PID, PF_DEC}}},
1833 [PPME_SYSCALL_MKDIR_2_E] = {"mkdir",
1834 EC_FILE | EC_SYSCALL,
1835 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1836 1,
1837 {{"mode", PT_UINT32, PF_HEX}}},
1838 [PPME_SYSCALL_MKDIR_2_X] = {"mkdir",
1839 EC_FILE | EC_SYSCALL,
1840 EF_CONVERTER_MANAGED,
1841 3,
1842 {{"res", PT_ERRNO, PF_DEC},
1843 {"path", PT_FSPATH, PF_NA},
1844 {"mode", PT_UINT32, PF_HEX}}},
1845 [PPME_SYSCALL_RMDIR_2_E] = {"rmdir", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1846 [PPME_SYSCALL_RMDIR_2_X] = {"rmdir",
1847 EC_FILE | EC_SYSCALL,
1848 EF_NONE,
1849 2,
1850 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
1851 [PPME_NOTIFICATION_E] = {"notification",
1852 EC_OTHER | EC_METAEVENT,
1853 EF_SKIPPARSERESET,
1854 2,
1855 {
1856 {"id", PT_CHARBUF, PF_DEC},
1857 {"desc", PT_CHARBUF, PF_NA},
1858 }},
1859 [PPME_NOTIFICATION_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1860 [PPME_SYSCALL_EXECVE_17_E] = {"execve",
1861 EC_PROCESS | EC_SYSCALL,
1862 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1863 0},
1864 [PPME_SYSCALL_EXECVE_17_X] = {"execve",
1865 EC_PROCESS | EC_SYSCALL,
1866 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1867 17,
1868 {{"res", PT_ERRNO, PF_DEC},
1869 {"exe", PT_CHARBUF, PF_NA},
1870 {"args", PT_BYTEBUF, PF_NA},
1871 {"tid", PT_PID, PF_DEC},
1872 {"pid", PT_PID, PF_DEC},
1873 {"ptid", PT_PID, PF_DEC},
1874 {"cwd", PT_CHARBUF, PF_NA},
1875 {"fdlimit", PT_UINT64, PF_DEC},
1876 {"pgft_maj", PT_UINT64, PF_DEC},
1877 {"pgft_min", PT_UINT64, PF_DEC},
1878 {"vm_size", PT_UINT32, PF_DEC},
1879 {"vm_rss", PT_UINT32, PF_DEC},
1880 {"vm_swap", PT_UINT32, PF_DEC},
1881 {"comm", PT_CHARBUF, PF_NA},
1882 {"cgroups", PT_BYTEBUF, PF_NA},
1883 {"env", PT_BYTEBUF, PF_NA},
1884 {"tty", PT_INT32, PF_DEC}}},
1885 [PPME_SYSCALL_UNSHARE_E] = {"unshare",
1886 EC_PROCESS | EC_SYSCALL,
1887 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1888 1,
1889 {{"flags", PT_FLAGS32, PF_HEX, clone_flags}}},
1890 [PPME_SYSCALL_UNSHARE_X] = {"unshare",
1891 EC_PROCESS | EC_SYSCALL,
1892 EF_CONVERTER_MANAGED,
1893 2,
1894 {{"res", PT_ERRNO, PF_DEC},
1895 {"flags", PT_FLAGS32, PF_HEX, clone_flags}}},
1896 [PPME_INFRASTRUCTURE_EVENT_E] = {"infra",
1897 EC_INTERNAL | EC_METAEVENT,
1898 EF_SKIPPARSERESET,
1899 4,
1900 {{"source", PT_CHARBUF, PF_DEC},
1901 {"name", PT_CHARBUF, PF_NA},
1902 {"description", PT_CHARBUF, PF_NA},
1903 {"scope", PT_CHARBUF, PF_NA}}},
1904 [PPME_INFRASTRUCTURE_EVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1905 [PPME_SYSCALL_EXECVE_18_E] = {"execve",
1906 EC_PROCESS | EC_SYSCALL,
1907 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1908 1,
1909 {{"filename", PT_FSPATH, PF_NA}}},
1910 [PPME_SYSCALL_EXECVE_18_X] = {"execve",
1911 EC_PROCESS | EC_SYSCALL,
1912 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1913 17,
1914 {{"res", PT_ERRNO, PF_DEC},
1915 {"exe", PT_CHARBUF, PF_NA},
1916 {"args", PT_BYTEBUF, PF_NA},
1917 {"tid", PT_PID, PF_DEC},
1918 {"pid", PT_PID, PF_DEC},
1919 {"ptid", PT_PID, PF_DEC},
1920 {"cwd", PT_CHARBUF, PF_NA},
1921 {"fdlimit", PT_UINT64, PF_DEC},
1922 {"pgft_maj", PT_UINT64, PF_DEC},
1923 {"pgft_min", PT_UINT64, PF_DEC},
1924 {"vm_size", PT_UINT32, PF_DEC},
1925 {"vm_rss", PT_UINT32, PF_DEC},
1926 {"vm_swap", PT_UINT32, PF_DEC},
1927 {"comm", PT_CHARBUF, PF_NA},
1928 {"cgroups", PT_BYTEBUF, PF_NA},
1929 {"env", PT_BYTEBUF, PF_NA},
1930 {"tty", PT_INT32, PF_DEC}}},
1931 [PPME_PAGE_FAULT_E] = {"page_fault",
1932 EC_OTHER | EC_TRACEPOINT,
1933 EF_SKIPPARSERESET,
1934 3,
1935 {{"addr", PT_UINT64, PF_HEX},
1936 {"ip", PT_UINT64, PF_HEX},
1937 {"error", PT_FLAGS32, PF_HEX, pf_flags}}},
1938 [PPME_PAGE_FAULT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1939 [PPME_SYSCALL_EXECVE_19_E] = {"execve",
1940 EC_PROCESS | EC_SYSCALL,
1941 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1942 1,
1943 {{"filename", PT_FSPATH, PF_NA}}},
1944 [PPME_SYSCALL_EXECVE_19_X] = {"execve",
1945 EC_PROCESS | EC_SYSCALL,
1946 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1947 31,
1948 {{"res", PT_ERRNO, PF_DEC},
1949 {"exe", PT_CHARBUF, PF_NA},
1950 {"args", PT_BYTEBUF, PF_NA},
1951 {"tid", PT_PID, PF_DEC},
1952 {"pid", PT_PID, PF_DEC},
1953 {"ptid", PT_PID, PF_DEC},
1954 {"cwd", PT_CHARBUF, PF_NA},
1955 {"fdlimit", PT_UINT64, PF_DEC},
1956 {"pgft_maj", PT_UINT64, PF_DEC},
1957 {"pgft_min", PT_UINT64, PF_DEC},
1958 {"vm_size", PT_UINT32, PF_DEC},
1959 {"vm_rss", PT_UINT32, PF_DEC},
1960 {"vm_swap", PT_UINT32, PF_DEC},
1961 {"comm", PT_CHARBUF, PF_NA},
1962 {"cgroups", PT_BYTEBUF, PF_NA},
1963 {"env", PT_BYTEBUF, PF_NA},
1964 {"tty", PT_UINT32, PF_DEC},
1965 {"vpgid", PT_PID, PF_DEC},
1966 {"loginuid", PT_UID, PF_DEC},
1967 {"flags", PT_FLAGS32, PF_HEX, execve_flags},
1968 {"cap_inheritable", PT_UINT64, PF_HEX},
1969 {"cap_permitted", PT_UINT64, PF_HEX},
1970 {"cap_effective", PT_UINT64, PF_HEX},
1971 {"exe_ino", PT_UINT64, PF_DEC},
1972 {"exe_ino_ctime", PT_ABSTIME, PF_DEC},
1973 {"exe_ino_mtime", PT_ABSTIME, PF_DEC},
1974 {"uid", PT_UID, PF_DEC},
1975 {"trusted_exepath", PT_FSPATH, PF_NA},
1976 {"pgid", PT_PID, PF_NA},
1977 {"gid", PT_GID, PF_DEC},
1978 {"filename", PT_FSPATH, PF_NA}}},
1979 [PPME_SYSCALL_SETPGID_E] = {"setpgid",
1980 EC_PROCESS | EC_SYSCALL,
1981 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1982 2,
1983 {{"pid", PT_PID, PF_DEC}, {"pgid", PT_PID, PF_DEC}}},
1984 [PPME_SYSCALL_SETPGID_X] = {"setpgid",
1985 EC_PROCESS | EC_SYSCALL,
1986 EF_CONVERTER_MANAGED,
1987 3,
1988 {{"res", PT_ERRNO, PF_DEC},
1989 {"pid", PT_PID, PF_DEC},
1990 {"pgid", PT_PID, PF_DEC}}},
1991 [PPME_SYSCALL_BPF_E] = {"bpf",
1992 EC_OTHER | EC_SYSCALL,
1993 EF_OLD_VERSION | EF_CREATES_FD | EF_CONVERTER_MANAGED,
1994 1,
1995 {{"cmd", PT_INT64, PF_DEC}}},
1996 [PPME_SYSCALL_BPF_X] =
1997 {"bpf",
1998 EC_OTHER | EC_SYSCALL,
1999 EF_OLD_VERSION | EF_CREATES_FD | EF_CONVERTER_MANAGED,
2000 1,
2001 {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX}}},
2002 [PPME_SYSCALL_SECCOMP_E] = {"seccomp",
2003 EC_OTHER | EC_SYSCALL,
2004 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
2005 2,
2006 {{"op", PT_UINT64, PF_DEC}, {"flags", PT_UINT64, PF_HEX}}},
2007 [PPME_SYSCALL_SECCOMP_X] = {"seccomp",
2008 EC_OTHER | EC_SYSCALL,
2009 EF_CONVERTER_MANAGED,
2010 3,
2011 {{"res", PT_ERRNO, PF_DEC},
2012 {"op", PT_UINT64, PF_DEC},
2013 {"flags", PT_UINT64, PF_HEX}}},
2014 [PPME_SYSCALL_UNLINK_2_E] = {"unlink", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2015 [PPME_SYSCALL_UNLINK_2_X] = {"unlink",
2016 EC_FILE | EC_SYSCALL,
2017 EF_NONE,
2018 2,
2019 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
2020 [PPME_SYSCALL_UNLINKAT_2_E] = {"unlinkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2021 [PPME_SYSCALL_UNLINKAT_2_X] = {"unlinkat",
2022 EC_FILE | EC_SYSCALL,
2023 EF_USES_FD,
2024 4,
2025 {{"res", PT_ERRNO, PF_DEC},
2026 {"dirfd", PT_FD, PF_DEC},
2027 {"name", PT_FSRELPATH, PF_NA, 1},
2028 {"flags", PT_FLAGS32, PF_HEX, unlinkat_flags}}},
2029 [PPME_SYSCALL_MKDIRAT_E] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2030 [PPME_SYSCALL_MKDIRAT_X] = {"mkdirat",
2031 EC_FILE | EC_SYSCALL,
2032 EF_USES_FD,
2033 4,
2034 {{"res", PT_ERRNO, PF_DEC},
2035 {"dirfd", PT_FD, PF_DEC},
2036 {"path", PT_FSRELPATH, PF_NA, 1},
2037 {"mode", PT_UINT32, PF_HEX}}},
2038 [PPME_SYSCALL_OPENAT_2_E] = {"openat",
2039 EC_FILE | EC_SYSCALL,
2040 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2041 4,
2042 {{"dirfd", PT_FD, PF_DEC},
2043 {"name", PT_FSRELPATH, PF_NA, 0},
2044 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2045 {"mode", PT_UINT32, PF_OCT}}},
2046 [PPME_SYSCALL_OPENAT_2_X] = {"openat",
2047 EC_FILE | EC_SYSCALL,
2048 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2049 7,
2050 {{"fd", PT_FD, PF_DEC},
2051 {"dirfd", PT_FD, PF_DEC},
2052 {"name", PT_FSRELPATH, PF_NA, 1},
2053 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2054 {"mode", PT_UINT32, PF_OCT},
2055 {"dev", PT_UINT32, PF_HEX},
2056 {"ino", PT_UINT64, PF_DEC}}},
2057 [PPME_SYSCALL_LINK_2_E] = {"link", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2058 [PPME_SYSCALL_LINK_2_X] = {"link",
2059 EC_FILE | EC_SYSCALL,
2060 EF_NONE,
2061 3,
2062 {{"res", PT_ERRNO, PF_DEC},
2063 {"oldpath", PT_FSPATH, PF_NA},
2064 {"newpath", PT_FSPATH, PF_NA}}},
2065 [PPME_SYSCALL_LINKAT_2_E] = {"linkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2066 [PPME_SYSCALL_LINKAT_2_X] = {"linkat",
2067 EC_FILE | EC_SYSCALL,
2068 EF_NONE,
2069 6,
2070 {{"res", PT_ERRNO, PF_DEC},
2071 {"olddir", PT_FD, PF_DEC},
2072 {"oldpath", PT_FSRELPATH, PF_NA, 1},
2073 {"newdir", PT_FD, PF_DEC},
2074 {"newpath", PT_FSRELPATH, PF_NA, 3},
2075 {"flags", PT_FLAGS32, PF_HEX, linkat_flags}}},
2076 [PPME_SYSCALL_FCHMODAT_E] = {"fchmodat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2077 [PPME_SYSCALL_FCHMODAT_X] = {"fchmodat",
2078 EC_FILE | EC_SYSCALL,
2079 EF_USES_FD,
2080 4,
2081 {{"res", PT_ERRNO, PF_DEC},
2082 {"dirfd", PT_FD, PF_DEC},
2083 {"filename", PT_FSRELPATH, PF_NA, 1},
2084 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
2085 [PPME_SYSCALL_CHMOD_E] = {"chmod", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2086 [PPME_SYSCALL_CHMOD_X] = {"chmod",
2087 EC_FILE | EC_SYSCALL,
2088 EF_NONE,
2089 3,
2090 {{"res", PT_ERRNO, PF_DEC},
2091 {"filename", PT_FSPATH, PF_NA},
2092 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
2093 [PPME_SYSCALL_FCHMOD_E] = {"fchmod", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2094 [PPME_SYSCALL_FCHMOD_X] = {"fchmod",
2095 EC_FILE | EC_SYSCALL,
2096 EF_USES_FD,
2097 3,
2098 {{"res", PT_ERRNO, PF_DEC},
2099 {"fd", PT_FD, PF_DEC},
2100 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
2101 [PPME_SYSCALL_RENAMEAT2_E] = {"renameat2", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2102 [PPME_SYSCALL_RENAMEAT2_X] = {"renameat2",
2103 EC_FILE | EC_SYSCALL,
2104 EF_NONE,
2105 6,
2106 {{"res", PT_ERRNO, PF_DEC},
2107 {"olddirfd", PT_FD, PF_DEC},
2108 {"oldpath", PT_FSRELPATH, PF_NA, 1},
2109 {"newdirfd", PT_FD, PF_DEC},
2110 {"newpath", PT_FSRELPATH, PF_NA, 3},
2111 {"flags", PT_FLAGS32, PF_HEX, renameat2_flags}}},
2112 [PPME_SYSCALL_USERFAULTFD_E] = {"userfaultfd",
2113 EC_FILE | EC_SYSCALL,
2114 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2115 0},
2116 [PPME_SYSCALL_USERFAULTFD_X] = {"userfaultfd",
2117 EC_FILE | EC_SYSCALL,
2118 EF_CREATES_FD | EF_MODIFIES_STATE,
2119 2,
2120 {{"res", PT_ERRNO, PF_DEC},
2121 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
2122 [PPME_PLUGINEVENT_E] = {"pluginevent",
2123 EC_OTHER | EC_PLUGIN,
2124 EF_LARGE_PAYLOAD,
2125 2,
2126 {{"plugin_id", PT_UINT32, PF_DEC},
2127 {"event_data", PT_BYTEBUF, PF_NA}}},
2128 [PPME_PLUGINEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2129 [PPME_CONTAINER_JSON_2_E] =
2130 {"container",
2131 EC_PROCESS | EC_METAEVENT,
2132 EF_MODIFIES_STATE | EF_LARGE_PAYLOAD,
2133 1,
2134 {{"json", PT_CHARBUF, PF_NA}}},
2135 [PPME_CONTAINER_JSON_2_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2136 [PPME_SYSCALL_OPENAT2_E] = {"openat2",
2137 EC_FILE | EC_SYSCALL,
2138 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2139 5,
2140 {{"dirfd", PT_FD, PF_DEC},
2141 {"name", PT_FSRELPATH, PF_NA, 0},
2142 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2143 {"mode", PT_UINT32, PF_OCT},
2144 {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}}},
2145 [PPME_SYSCALL_OPENAT2_X] = {"openat2",
2146 EC_FILE | EC_SYSCALL,
2147 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2148 8,
2149 {{"fd", PT_FD, PF_DEC},
2150 {"dirfd", PT_FD, PF_DEC},
2151 {"name", PT_FSRELPATH, PF_NA, 1},
2152 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2153 {"mode", PT_UINT32, PF_OCT},
2154 {"resolve", PT_FLAGS32, PF_HEX, openat2_flags},
2155 {"dev", PT_UINT32, PF_HEX},
2156 {"ino", PT_UINT64, PF_DEC}}},
2157 [PPME_SYSCALL_MPROTECT_E] = {"mprotect",
2158 EC_MEMORY | EC_SYSCALL,
2159 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
2160 3,
2161 {{"addr", PT_UINT64, PF_HEX},
2162 {"length", PT_UINT64, PF_DEC},
2163 {"prot", PT_FLAGS32, PF_HEX, prot_flags}}},
2164 [PPME_SYSCALL_MPROTECT_X] = {"mprotect",
2165 EC_MEMORY | EC_SYSCALL,
2166 EF_CONVERTER_MANAGED,
2167 4,
2168 {{"res", PT_ERRNO, PF_DEC},
2169 {"addr", PT_UINT64, PF_HEX},
2170 {"length", PT_UINT64, PF_DEC},
2171 {"prot", PT_FLAGS32, PF_HEX, prot_flags}}},
2172 [PPME_SYSCALL_EXECVEAT_E] = {"execveat",
2173 EC_PROCESS | EC_SYSCALL,
2174 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2175 3,
2176 {{"dirfd", PT_FD, PF_DEC},
2177 {"pathname", PT_FSRELPATH, PF_NA, 0},
2178 {"flags", PT_FLAGS32, PF_HEX, execveat_flags}}},
2179 [PPME_SYSCALL_EXECVEAT_X] = {"execveat",
2180 EC_PROCESS | EC_SYSCALL,
2181 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2182 30,
2183 {{"res", PT_ERRNO, PF_DEC},
2184 {"exe", PT_CHARBUF, PF_NA},
2185 {"args", PT_BYTEBUF, PF_NA},
2186 {"tid", PT_PID, PF_DEC},
2187 {"pid", PT_PID, PF_DEC},
2188 {"ptid", PT_PID, PF_DEC},
2189 {"cwd", PT_CHARBUF, PF_NA},
2190 {"fdlimit", PT_UINT64, PF_DEC},
2191 {"pgft_maj", PT_UINT64, PF_DEC},
2192 {"pgft_min", PT_UINT64, PF_DEC},
2193 {"vm_size", PT_UINT32, PF_DEC},
2194 {"vm_rss", PT_UINT32, PF_DEC},
2195 {"vm_swap", PT_UINT32, PF_DEC},
2196 {"comm", PT_CHARBUF, PF_NA},
2197 {"cgroups", PT_BYTEBUF, PF_NA},
2198 {"env", PT_BYTEBUF, PF_NA},
2199 {"tty", PT_UINT32, PF_DEC},
2200 {"vpgid", PT_PID, PF_DEC},
2201 {"loginuid", PT_UID, PF_DEC},
2202 {"flags", PT_FLAGS32, PF_HEX, execve_flags},
2203 {"cap_inheritable", PT_UINT64, PF_HEX},
2204 {"cap_permitted", PT_UINT64, PF_HEX},
2205 {"cap_effective", PT_UINT64, PF_HEX},
2206 {"exe_ino", PT_UINT64, PF_DEC},
2207 {"exe_ino_ctime", PT_ABSTIME, PF_DEC},
2208 {"exe_ino_mtime", PT_ABSTIME, PF_DEC},
2209 {"uid", PT_UID, PF_DEC},
2210 {"trusted_exepath", PT_FSPATH, PF_NA},
2211 {"pgid", PT_PID, PF_NA},
2212 {"gid", PT_GID, PF_DEC}}},
2213 [PPME_SYSCALL_COPY_FILE_RANGE_E] = {"copy_file_range",
2214 EC_FILE | EC_SYSCALL,
2215 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
2216 EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
2217 3,
2218 {{"fdin", PT_FD, PF_DEC},
2219 {"offin", PT_UINT64, PF_DEC},
2220 {"len", PT_UINT64, PF_DEC}}},
2221 [PPME_SYSCALL_COPY_FILE_RANGE_X] = {"copy_file_range",
2222 EC_FILE | EC_SYSCALL,
2223 EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD |
2224 EF_CONVERTER_MANAGED,
2225 6,
2226 {{"res", PT_ERRNO, PF_DEC},
2227 {"fdout", PT_FD, PF_DEC},
2228 {"offout", PT_UINT64, PF_DEC},
2229 {"fdin", PT_FD, PF_DEC},
2230 {"offin", PT_UINT64, PF_DEC},
2231 {"len", PT_UINT64, PF_DEC}}},
2232 [PPME_SYSCALL_CLONE3_E] = {"clone3",
2233 EC_PROCESS | EC_SYSCALL,
2234 EF_OLD_VERSION | EF_MODIFIES_STATE,
2235 0},
2236 [PPME_SYSCALL_CLONE3_X] = {"clone3",
2237 EC_PROCESS | EC_SYSCALL,
2238 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2239 21,
2240 {{"res", PT_PID, PF_DEC},
2241 {"exe", PT_CHARBUF, PF_NA},
2242 {"args", PT_BYTEBUF, PF_NA},
2243 {"tid", PT_PID, PF_DEC},
2244 {"pid", PT_PID, PF_DEC},
2245 {"ptid", PT_PID, PF_DEC},
2246 {"cwd", PT_CHARBUF, PF_NA},
2247 {"fdlimit", PT_INT64, PF_DEC},
2248 {"pgft_maj", PT_UINT64, PF_DEC},
2249 {"pgft_min", PT_UINT64, PF_DEC},
2250 {"vm_size", PT_UINT32, PF_DEC},
2251 {"vm_rss", PT_UINT32, PF_DEC},
2252 {"vm_swap", PT_UINT32, PF_DEC},
2253 {"comm", PT_CHARBUF, PF_NA},
2254 {"cgroups", PT_BYTEBUF, PF_NA},
2255 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
2256 {"uid", PT_UINT32, PF_DEC},
2257 {"gid", PT_UINT32, PF_DEC},
2258 {"vtid", PT_PID, PF_DEC},
2259 {"vpid", PT_PID, PF_DEC},
2260 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
2261 [PPME_SYSCALL_OPEN_BY_HANDLE_AT_E] = {"open_by_handle_at",
2262 EC_FILE | EC_SYSCALL,
2263 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2264 0},
2265 [PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at",
2266 EC_FILE | EC_SYSCALL,
2267 EF_CREATES_FD | EF_MODIFIES_STATE,
2268 6,
2269 {{"fd", PT_FD, PF_DEC},
2270 {"mountfd", PT_FD, PF_DEC},
2271 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2272 {"path", PT_FSPATH, PF_NA},
2273 {"dev", PT_UINT32, PF_HEX},
2274 {"ino", PT_UINT64, PF_DEC}}},
2275 [PPME_SYSCALL_IO_URING_SETUP_E] = {"io_uring_setup",
2276 EC_IO_OTHER | EC_SYSCALL,
2277 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2278 0},
2279 [PPME_SYSCALL_IO_URING_SETUP_X] =
2280 {"io_uring_setup",
2281 EC_IO_OTHER | EC_SYSCALL,
2282 EF_CREATES_FD | EF_MODIFIES_STATE,
2283 8,
2284 {{"res", PT_ERRNO, PF_DEC},
2285 {"entries", PT_UINT32, PF_DEC},
2286 {"sq_entries", PT_UINT32, PF_DEC},
2287 {"cq_entries", PT_UINT32, PF_DEC},
2288 {"flags", PT_FLAGS32, PF_HEX, io_uring_setup_flags},
2289 {"sq_thread_cpu", PT_UINT32, PF_DEC},
2290 {"sq_thread_idle", PT_UINT32, PF_DEC},
2291 {"features", PT_FLAGS32, PF_HEX, io_uring_setup_feats}}},
2292 [PPME_SYSCALL_IO_URING_ENTER_E] = {"io_uring_enter",
2293 EC_IO_OTHER | EC_SYSCALL,
2294 EF_OLD_VERSION,
2295 0},
2296 [PPME_SYSCALL_IO_URING_ENTER_X] = {"io_uring_enter",
2297 EC_IO_OTHER | EC_SYSCALL,
2298 EF_USES_FD,
2299 6,
2300 {{"res", PT_ERRNO, PF_DEC},
2301 {"fd", PT_FD, PF_DEC},
2302 {"to_submit", PT_UINT32, PF_DEC},
2303 {"min_complete", PT_UINT32, PF_DEC},
2304 {"flags", PT_FLAGS32, PF_HEX, io_uring_enter_flags},
2305 {"sig", PT_SIGSET, PF_DEC}}},
2306 [PPME_SYSCALL_IO_URING_REGISTER_E] = {"io_uring_register",
2307 EC_IO_OTHER | EC_SYSCALL,
2308 EF_OLD_VERSION,
2309 0},
2310 [PPME_SYSCALL_IO_URING_REGISTER_X] =
2311 {"io_uring_register",
2312 EC_IO_OTHER | EC_SYSCALL,
2313 EF_USES_FD,
2314 5,
2315 {{"res", PT_ERRNO, PF_DEC},
2316 {"fd", PT_FD, PF_DEC},
2317 {"opcode", PT_ENUMFLAGS16, PF_DEC, io_uring_register_opcodes},
2318 {"arg", PT_UINT64, PF_HEX},
2319 {"nr_args", PT_UINT32, PF_DEC}}},
2320 [PPME_SYSCALL_MLOCK_E] = {"mlock", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2321 [PPME_SYSCALL_MLOCK_X] = {"mlock",
2322 EC_MEMORY | EC_SYSCALL,
2323 EF_NONE,
2324 3,
2325 {{"res", PT_ERRNO, PF_DEC},
2326 {"addr", PT_UINT64, PF_HEX},
2327 {"len", PT_UINT64, PF_DEC}}},
2328 [PPME_SYSCALL_MUNLOCK_E] = {"munlock", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2329 [PPME_SYSCALL_MUNLOCK_X] = {"munlock",
2330 EC_MEMORY | EC_SYSCALL,
2331 EF_NONE,
2332 3,
2333 {{"res", PT_ERRNO, PF_DEC},
2334 {"addr", PT_UINT64, PF_HEX},
2335 {"len", PT_UINT64, PF_DEC}}},
2336 [PPME_SYSCALL_MLOCKALL_E] = {"mlockall", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2337 [PPME_SYSCALL_MLOCKALL_X] = {"mlockall",
2338 EC_MEMORY | EC_SYSCALL,
2339 EF_NONE,
2340 2,
2341 {{"res", PT_ERRNO, PF_DEC},
2342 {"flags", PT_FLAGS32, PF_HEX, mlockall_flags}}},
2343 [PPME_SYSCALL_MUNLOCKALL_E] = {"munlockall", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2344 [PPME_SYSCALL_MUNLOCKALL_X] =
2345 {"munlockall", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
2346 [PPME_SYSCALL_CAPSET_E] = {"capset",
2347 EC_PROCESS | EC_SYSCALL,
2348 EF_OLD_VERSION | EF_MODIFIES_STATE,
2349 0},
2350 [PPME_SYSCALL_CAPSET_X] = {"capset",
2351 EC_PROCESS | EC_SYSCALL,
2352 EF_MODIFIES_STATE,
2353 4,
2354 {{"res", PT_ERRNO, PF_DEC},
2355 {"cap_inheritable", PT_UINT64, PF_HEX},
2356 {"cap_permitted", PT_UINT64, PF_HEX},
2357 {"cap_effective", PT_UINT64, PF_HEX}}},
2358 [PPME_USER_ADDED_E] = {"useradded",
2359 EC_PROCESS | EC_METAEVENT,
2360 EF_MODIFIES_STATE,
2361 6,
2362 {{"uid", PT_UINT32, PF_DEC},
2363 {"gid", PT_UINT32, PF_DEC},
2364 {"name", PT_CHARBUF, PF_NA},
2365 {"home", PT_CHARBUF, PF_NA},
2366 {"shell", PT_CHARBUF, PF_NA},
2367 {"container_id", PT_CHARBUF, PF_NA}}},
2368 [PPME_USER_ADDED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2369 [PPME_USER_DELETED_E] = {"userdeleted",
2370 EC_PROCESS | EC_METAEVENT,
2371 EF_MODIFIES_STATE,
2372 6,
2373 {{"uid", PT_UINT32, PF_DEC},
2374 {"gid", PT_UINT32, PF_DEC},
2375 {"name", PT_CHARBUF, PF_NA},
2376 {"home", PT_CHARBUF, PF_NA},
2377 {"shell", PT_CHARBUF, PF_NA},
2378 {"container_id", PT_CHARBUF, PF_NA}}},
2379 [PPME_USER_DELETED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2380 [PPME_GROUP_ADDED_E] = {"groupadded",
2381 EC_PROCESS | EC_METAEVENT,
2382 EF_MODIFIES_STATE,
2383 3,
2384 {{"gid", PT_UINT32, PF_DEC},
2385 {"name", PT_CHARBUF, PF_NA},
2386 {"container_id", PT_CHARBUF, PF_NA}}},
2387 [PPME_GROUP_ADDED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2388 [PPME_GROUP_DELETED_E] = {"groupdeleted",
2389 EC_PROCESS | EC_METAEVENT,
2390 EF_MODIFIES_STATE,
2391 3,
2392 {{"gid", PT_UINT32, PF_DEC},
2393 {"name", PT_CHARBUF, PF_NA},
2394 {"container_id", PT_CHARBUF, PF_NA}}},
2395 [PPME_GROUP_DELETED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2396 [PPME_SYSCALL_DUP2_E] = {"dup2",
2397 EC_IO_OTHER | EC_SYSCALL,
2398 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2399 1,
2400 {{"fd", PT_FD, PF_DEC}}},
2401 [PPME_SYSCALL_DUP2_X] = {"dup2",
2402 EC_IO_OTHER | EC_SYSCALL,
2403 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2404 3,
2405 {{"res", PT_FD, PF_DEC},
2406 {"oldfd", PT_FD, PF_DEC},
2407 {"newfd", PT_FD, PF_DEC}}},
2408 [PPME_SYSCALL_DUP3_E] = {"dup3",
2409 EC_IO_OTHER | EC_SYSCALL,
2410 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2411 1,
2412 {{"fd", PT_FD, PF_DEC}}},
2413 [PPME_SYSCALL_DUP3_X] = {"dup3",
2414 EC_IO_OTHER | EC_SYSCALL,
2415 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2416 4,
2417 {{"res", PT_FD, PF_DEC},
2418 {"oldfd", PT_FD, PF_DEC},
2419 {"newfd", PT_FD, PF_DEC},
2420 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
2421 [PPME_SYSCALL_DUP_1_E] = {"dup",
2422 EC_IO_OTHER | EC_SYSCALL,
2423 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2424 1,
2425 {{"fd", PT_FD, PF_DEC}}},
2426 [PPME_SYSCALL_DUP_1_X] = {"dup",
2427 EC_IO_OTHER | EC_SYSCALL,
2428 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2429 2,
2430 {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC}}},
2431 [PPME_SYSCALL_BPF_2_E] = {"bpf",
2432 EC_OTHER | EC_SYSCALL,
2433 EF_OLD_VERSION | EF_CREATES_FD,
2434 1,
2435 {{"cmd", PT_INT64, PF_DEC}}},
2436 [PPME_SYSCALL_BPF_2_X] = {"bpf",
2437 EC_OTHER | EC_SYSCALL,
2438 EF_CREATES_FD,
2439 2,
2440 {{"fd", PT_FD, PF_DEC},
2441 {"cmd", PT_ENUMFLAGS32, PF_DEC, bpf_commands}}},
2442 [PPME_SYSCALL_MLOCK2_E] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2443 [PPME_SYSCALL_MLOCK2_X] = {"mlock2",
2444 EC_MEMORY | EC_SYSCALL,
2445 EF_NONE,
2446 4,
2447 {{"res", PT_ERRNO, PF_DEC},
2448 {"addr", PT_UINT64, PF_HEX},
2449 {"len", PT_UINT64, PF_DEC},
2450 {"flags", PT_FLAGS32, PF_HEX, mlock2_flags}}},
2451 [PPME_SYSCALL_FSCONFIG_E] = {"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_OLD_VERSION, 0},
2452 [PPME_SYSCALL_FSCONFIG_X] = {"fsconfig",
2453 EC_SYSTEM | EC_SYSCALL,
2454 EF_USES_FD,
2455 7,
2456 {{"res", PT_ERRNO, PF_DEC},
2457 {"fd", PT_FD, PF_DEC},
2458 {"cmd", PT_ENUMFLAGS32, PF_DEC, fsconfig_cmds},
2459 {"key", PT_CHARBUF, PF_NA},
2460 {"value_bytebuf", PT_BYTEBUF, PF_NA},
2461 {"value_charbuf", PT_CHARBUF, PF_NA},
2462 {"aux", PT_INT32, PF_DEC}}},
2463 [PPME_SYSCALL_EPOLL_CREATE_E] = {"epoll_create",
2464 EC_WAIT | EC_SYSCALL,
2465 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2466 EF_CONVERTER_MANAGED,
2467 1,
2468 {{"size", PT_INT32, PF_DEC}}},
2469 [PPME_SYSCALL_EPOLL_CREATE_X] = {"epoll_create",
2470 EC_WAIT | EC_SYSCALL,
2471 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2472 2,
2473 {{"res", PT_ERRNO, PF_DEC}, {"size", PT_INT32, PF_DEC}}},
2474 [PPME_SYSCALL_EPOLL_CREATE1_E] = {"epoll_create1",
2475 EC_WAIT | EC_SYSCALL,
2476 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2477 EF_CONVERTER_MANAGED,
2478 1,
2479 {{"flags", PT_FLAGS32, PF_HEX, epoll_create1_flags}}},
2480 [PPME_SYSCALL_EPOLL_CREATE1_X] = {"epoll_create1",
2481 EC_WAIT | EC_SYSCALL,
2482 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2483 2,
2484 {{"res", PT_ERRNO, PF_DEC},
2485 {"flags", PT_FLAGS32, PF_HEX, epoll_create1_flags}}},
2486 [PPME_SYSCALL_CHOWN_E] = {"chown", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2487 [PPME_SYSCALL_CHOWN_X] = {"chown",
2488 EC_FILE | EC_SYSCALL,
2489 EF_NONE,
2490 4,
2491 {{"res", PT_ERRNO, PF_DEC},
2492 {"path", PT_FSPATH, PF_NA},
2493 {"uid", PT_UINT32, PF_DEC},
2494 {"gid", PT_UINT32, PF_DEC}}},
2495 [PPME_SYSCALL_LCHOWN_E] = {"lchown", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2496 [PPME_SYSCALL_LCHOWN_X] = {"lchown",
2497 EC_FILE | EC_SYSCALL,
2498 EF_NONE,
2499 4,
2500 {{"res", PT_ERRNO, PF_DEC},
2501 {"path", PT_FSPATH, PF_NA},
2502 {"uid", PT_UINT32, PF_DEC},
2503 {"gid", PT_UINT32, PF_DEC}}},
2504 [PPME_SYSCALL_FCHOWN_E] = {"fchown", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2505 [PPME_SYSCALL_FCHOWN_X] = {"fchown",
2506 EC_FILE | EC_SYSCALL,
2507 EF_USES_FD,
2508 4,
2509 {{"res", PT_ERRNO, PF_DEC},
2510 {"fd", PT_FD, PF_DEC},
2511 {"uid", PT_UINT32, PF_DEC},
2512 {"gid", PT_UINT32, PF_DEC}}},
2513 [PPME_SYSCALL_FCHOWNAT_E] = {"fchownat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2514 [PPME_SYSCALL_FCHOWNAT_X] = {"fchownat",
2515 EC_FILE | EC_SYSCALL,
2516 EF_USES_FD,
2517 6,
2518 {{"res", PT_ERRNO, PF_DEC},
2519 {"dirfd", PT_FD, PF_DEC},
2520 {"pathname", PT_FSRELPATH, PF_NA, 1},
2521 {"uid", PT_UINT32, PF_DEC},
2522 {"gid", PT_UINT32, PF_DEC},
2523 {"flags", PT_FLAGS32, PF_HEX, fchownat_flags}}},
2524 [PPME_SYSCALL_UMOUNT_1_E] = {"umount",
2525 EC_FILE | EC_SYSCALL,
2526 EF_OLD_VERSION | EF_MODIFIES_STATE,
2527 0},
2528 [PPME_SYSCALL_UMOUNT_1_X] = {"umount",
2529 EC_FILE | EC_SYSCALL,
2530 EF_MODIFIES_STATE,
2531 2,
2532 {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA}}},
2533 [PPME_SOCKET_ACCEPT4_6_E] = {"accept4",
2534 EC_NET | EC_SYSCALL,
2535 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2536 EF_CONVERTER_MANAGED,
2537 1,
2538 {{"flags", PT_INT32, PF_HEX}}},
2539 [PPME_SOCKET_ACCEPT4_6_X] = {"accept4",
2540 EC_NET | EC_SYSCALL,
2541 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2542 6,
2543 {{"fd", PT_FD, PF_DEC},
2544 {"tuple", PT_SOCKTUPLE, PF_NA},
2545 {"queuepct", PT_UINT8, PF_DEC},
2546 {"queuelen", PT_UINT32, PF_DEC},
2547 {"queuemax", PT_UINT32, PF_DEC},
2548 {"flags", PT_INT32, PF_HEX}}},
2549 [PPME_SYSCALL_UMOUNT2_E] = {"umount2",
2550 EC_FILE | EC_SYSCALL,
2551 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2552 1,
2553 {{"flags", PT_FLAGS32, PF_HEX, umount_flags}}},
2554 [PPME_SYSCALL_UMOUNT2_X] = {"umount2",
2555 EC_FILE | EC_SYSCALL,
2556 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2557 3,
2558 {{"res", PT_ERRNO, PF_DEC},
2559 {"name", PT_FSPATH, PF_NA},
2560 {"flags", PT_FLAGS32, PF_HEX, umount_flags}}},
2561 [PPME_SYSCALL_PIPE2_E] = {"pipe2",
2562 EC_IPC | EC_SYSCALL,
2563 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2564 0},
2565 [PPME_SYSCALL_PIPE2_X] = {"pipe2",
2566 EC_IPC | EC_SYSCALL,
2567 EF_CREATES_FD | EF_MODIFIES_STATE,
2568 5,
2569 {{"res", PT_ERRNO, PF_DEC},
2570 {"fd1", PT_FD, PF_DEC},
2571 {"fd2", PT_FD, PF_DEC},
2572 {"ino", PT_UINT64, PF_DEC},
2573 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
2574 [PPME_SYSCALL_INOTIFY_INIT1_E] = {"inotify_init1",
2575 EC_IPC | EC_SYSCALL,
2576 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2577 0},
2578 [PPME_SYSCALL_INOTIFY_INIT1_X] = {"inotify_init1",
2579 EC_IPC | EC_SYSCALL,
2580 EF_CREATES_FD | EF_MODIFIES_STATE,
2581 2,
2582 {{"res", PT_FD, PF_DEC},
2583 {"flags", PT_FLAGS16, PF_HEX, file_flags}}},
2584 [PPME_SYSCALL_EVENTFD2_E] = {"eventfd2",
2585 EC_IPC | EC_SYSCALL,
2586 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2587 EF_CONVERTER_MANAGED,
2588 1,
2589 {{"initval", PT_UINT64, PF_DEC}}},
2590 [PPME_SYSCALL_EVENTFD2_X] = {"eventfd2",
2591 EC_IPC | EC_SYSCALL,
2592 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2593 3,
2594 {{"res", PT_FD, PF_DEC},
2595 {"flags", PT_FLAGS16, PF_HEX, file_flags},
2596 {"initval", PT_UINT64, PF_DEC}}},
2597 [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4",
2598 EC_SIGNAL | EC_SYSCALL,
2599 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2600 EF_CONVERTER_MANAGED,
2601 2,
2602 {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}},
2603 [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4",
2604 EC_SIGNAL | EC_SYSCALL,
2605 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2606 4,
2607 {{"res", PT_FD, PF_DEC},
2608 {"flags", PT_FLAGS16, PF_HEX, file_flags},
2609 {"fd", PT_FD, PF_DEC},
2610 {"mask", PT_UINT32, PF_HEX}}},
2611 [PPME_SYSCALL_PRCTL_E] = {"prctl",
2612 EC_PROCESS | EC_SYSCALL,
2613 EF_OLD_VERSION | EF_MODIFIES_STATE,
2614 0},
2615 [PPME_SYSCALL_PRCTL_X] = {"prctl",
2616 EC_PROCESS | EC_SYSCALL,
2617 EF_MODIFIES_STATE,
2618 4,
2619 {{"res", PT_ERRNO, PF_DEC},
2620 {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options},
2621 {"arg2_str", PT_CHARBUF, PF_NA},
2622 {"arg2_int", PT_INT64, PF_DEC}}},
2623 [PPME_ASYNCEVENT_E] = {"asyncevent",
2624 EC_OTHER | EC_METAEVENT,
2625 EF_LARGE_PAYLOAD,
2626 3,
2627 {{"plugin_id", PT_UINT32, PF_DEC},
2628 {"name", PT_CHARBUF, PF_NA},
2629 {"data", PT_BYTEBUF, PF_NA}}},
2630 [PPME_ASYNCEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2631 [PPME_SYSCALL_MEMFD_CREATE_E] = {"memfd_create",
2632 EC_MEMORY | EC_SYSCALL,
2633 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2634 0},
2635 [PPME_SYSCALL_MEMFD_CREATE_X] = {"memfd_create",
2636 EC_MEMORY | EC_SYSCALL,
2637 EF_CREATES_FD | EF_MODIFIES_STATE,
2638 3,
2639 {{"fd", PT_FD, PF_DEC},
2640 {"name", PT_CHARBUF, PF_NA},
2641 {"flags", PT_FLAGS32, PF_HEX, memfd_create_flags}}},
2642 [PPME_SYSCALL_PIDFD_GETFD_E] = {"pidfd_getfd",
2643 EC_PROCESS | EC_SYSCALL,
2644 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2645 0},
2646 [PPME_SYSCALL_PIDFD_GETFD_X] = {"pidfd_getfd",
2647 EC_PROCESS | EC_SYSCALL,
2648 EF_CREATES_FD | EF_MODIFIES_STATE,
2649 4,
2650 {{"fd", PT_FD, PF_DEC},
2651 {"pid_fd", PT_FD, PF_DEC},
2652 {"target_fd", PT_FD, PF_DEC},
2653 {"flags", PT_UINT32, PF_HEX}}},
2654 [PPME_SYSCALL_PIDFD_OPEN_E] = {"pidfd_open",
2655 EC_PROCESS | EC_SYSCALL,
2656 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2657 0},
2658 [PPME_SYSCALL_PIDFD_OPEN_X] = {"pidfd_open",
2659 EC_PROCESS | EC_SYSCALL,
2660 EF_CREATES_FD | EF_MODIFIES_STATE,
2661 3,
2662 {{"fd", PT_FD, PF_DEC},
2663 {"pid", PT_PID, PF_DEC},
2664 {"flags", PT_FLAGS32, PF_HEX, pidfd_open_flags}}},
2665 [PPME_SYSCALL_INIT_MODULE_E] = {"init_module", EC_OTHER | EC_SYSCALL, EF_OLD_VERSION, 0},
2666 [PPME_SYSCALL_INIT_MODULE_X] = {"init_module",
2667 EC_OTHER | EC_SYSCALL,
2668 EF_NONE,
2669 4,
2670 {{"res", PT_ERRNO, PF_DEC},
2671 {"img", PT_BYTEBUF, PF_NA},
2672 {"length", PT_UINT64, PF_DEC},
2673 {"uargs", PT_CHARBUF, PF_NA}}},
2674 [PPME_SYSCALL_FINIT_MODULE_E] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_OLD_VERSION, 0},
2675 [PPME_SYSCALL_FINIT_MODULE_X] = {"finit_module",
2676 EC_OTHER | EC_SYSCALL,
2677 EF_USES_FD | EF_READS_FROM_FD,
2678 4,
2679 {{"res", PT_ERRNO, PF_DEC},
2680 {"fd", PT_FD, PF_DEC},
2681 {"uargs", PT_CHARBUF, PF_NA},
2682 {"flags", PT_FLAGS32, PF_HEX, finit_module_flags}}},
2683 [PPME_SYSCALL_MKNOD_E] = {"mknod", EC_OTHER | EC_SYSCALL, EF_OLD_VERSION, 0},
2684 [PPME_SYSCALL_MKNOD_X] = {"mknod",
2685 EC_OTHER | EC_SYSCALL,
2686 EF_NONE,
2687 4,
2688 {{"res", PT_ERRNO, PF_DEC},
2689 {"path", PT_FSPATH, PF_NA},
2690 {"mode", PT_MODE, PF_OCT, mknod_mode},
2691 {"dev", PT_UINT32, PF_DEC}}},
2692 [PPME_SYSCALL_MKNODAT_E] = {"mknodat", EC_OTHER | EC_SYSCALL, EF_OLD_VERSION, 0},
2693 [PPME_SYSCALL_MKNODAT_X] = {"mknodat",
2694 EC_OTHER | EC_SYSCALL,
2695 EF_USES_FD,
2696 5,
2697 {{"res", PT_ERRNO, PF_DEC},
2698 {"dirfd", PT_FD, PF_DEC},
2699 {"path", PT_FSRELPATH, PF_NA, 1},
2700 {"mode", PT_MODE, PF_OCT, mknod_mode},
2701 {"dev", PT_UINT32, PF_DEC}}},
2702 [PPME_SYSCALL_NEWFSTATAT_E] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2703 [PPME_SYSCALL_NEWFSTATAT_X] = {"newfstatat",
2704 EC_FILE | EC_SYSCALL,
2705 EF_USES_FD,
2706 4,
2707 {{"res", PT_ERRNO, PF_DEC},
2708 {"dirfd", PT_FD, PF_DEC},
2709 {"path", PT_FSRELPATH, PF_NA, 1},
2710 {"flags", PT_FLAGS32, PF_HEX, newfstatat_flags}}},
2711 [PPME_SYSCALL_PROCESS_VM_READV_E] = {"process_vm_readv",
2712 EC_SYSCALL | EC_IPC,
2713 EF_OLD_VERSION,
2714 0},
2715 [PPME_SYSCALL_PROCESS_VM_READV_X] = {"process_vm_readv",
2716 EC_SYSCALL | EC_IPC,
2717 EF_NONE,
2718 3,
2719 {{"res", PT_INT64, PF_DEC},
2720 {"pid", PT_PID, PF_DEC},
2721 {"data", PT_BYTEBUF, PF_NA}}},
2722 [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = {"process_vm_writev",
2723 EC_SYSCALL | EC_IPC,
2724 EF_OLD_VERSION,
2725 0},
2726 [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev",
2727 EC_SYSCALL | EC_IPC,
2728 EF_NONE,
2729 3,
2730 {{"res", PT_INT64, PF_DEC},
2731 {"pid", PT_PID, PF_DEC},
2732 {"data", PT_BYTEBUF, PF_NA}}},
2733 [PPME_SYSCALL_DELETE_MODULE_E] = {"delete_module",
2734 EC_OTHER | EC_SYSCALL,
2735 EF_OLD_VERSION,
2736 0},
2737 [PPME_SYSCALL_DELETE_MODULE_X] = {"delete_module",
2738 EC_OTHER | EC_SYSCALL,
2739 EF_NONE,
2740 3,
2741 {{"res", PT_ERRNO, PF_DEC},
2742 {"name", PT_CHARBUF, PF_NA},
2743 {"flags", PT_FLAGS32, PF_HEX, delete_module_flags}}},
2744 [PPME_SYSCALL_SETREUID_E] = {"setreuid",
2745 EC_USER | EC_SYSCALL,
2746 EF_OLD_VERSION | EF_MODIFIES_STATE,
2747 0},
2748 [PPME_SYSCALL_SETREUID_X] = {"setreuid",
2749 EC_USER | EC_SYSCALL,
2750 EF_MODIFIES_STATE,
2751 3,
2752 {{"res", PT_ERRNO, PF_DEC},
2753 {"ruid", PT_UID, PF_DEC},
2754 {"euid", PT_UID, PF_DEC}}},
2755 [PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
2756 [PPME_SYSCALL_SETREGID_X] = {"setregid",
2757 EC_USER | EC_SYSCALL,
2758 EF_MODIFIES_STATE,
2759 3,
2760 {{"res", PT_ERRNO, PF_DEC},
2761 {"rgid", PT_UID, PF_DEC},
2762 {"egid", PT_UID, PF_DEC}}},
2763 [PPME_ITER_TASK_E] = {"task",
2764 EC_ITER | EC_PROCESS,
2765 EF_MODIFIES_STATE,
2766 32,
2767 {{"ppid", PT_PID32, PF_DEC},
2768 {"pgid", PT_PID32, PF_DEC},
2769 {"vpgid", PT_PID32, PF_DEC},
2770 {"sid", PT_PID32, PF_DEC},
2771 {"comm", PT_CHARBUF, PF_NA},
2772 {"argv", PT_CHARBUFARRAY, PF_NA},
2773 {"exepath", PT_FSPATH, PF_NA},
2774 {"flags", PT_FLAGS32, PF_HEX, execve_flags},
2775 {"env", PT_CHARBUFARRAY, PF_NA},
2776 {"cwd", PT_CHARBUF, PF_NA},
2777 {"fdlimit", PT_UINT64, PF_DEC},
2778 {"euid", PT_UID, PF_DEC},
2779 {"egid", PT_GID, PF_DEC},
2780 {"cap_permitted", PT_UINT64, PF_HEX},
2781 {"cap_effective", PT_UINT64, PF_HEX},
2782 {"cap_inheritable", PT_UINT64, PF_HEX},
2783 {"exe_ino_num", PT_UINT64, PF_DEC},
2784 {"exe_ino_ctime", PT_ABSTIME, PF_DEC},
2785 {"exe_ino_mtime", PT_ABSTIME, PF_DEC},
2786 {"vm_size", PT_UINT32, PF_DEC},
2787 {"vm_rss", PT_UINT32, PF_DEC},
2788 {"vm_swap", PT_UINT32, PF_DEC},
2789 {"pgft_maj", PT_UINT64, PF_DEC},
2790 {"pgft_min", PT_UINT64, PF_DEC},
2791 {"vtgid", PT_PID32, PF_DEC},
2792 {"vpid", PT_PID32, PF_DEC},
2793 {"pidns_init_start_ts", PT_UINT64, PF_DEC},
2794 {"cgroups", PT_CHARBUFARRAY, PF_NA},
2795 {"root", PT_FSPATH, PF_NA},
2796 {"start_time", PT_ABSTIME, PF_DEC},
2797 {"tty", PT_UINT32, PF_DEC},
2798 {"loginuid", PT_UID, PF_DEC}}},
2799 [PPME_ITER_TASK_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2800 [PPME_ITER_TASK_FILE_PIPE_E] = {"task_file_pipe",
2801 EC_ITER | EC_FILE,
2802 EF_MODIFIES_STATE,
2803 3,
2804 {{"fd", PT_FD32, PF_DEC},
2805 {"path", PT_FSPATH, PF_NA},
2806 {"ino_num", PT_UINT64, PF_DEC}}},
2807 [PPME_ITER_TASK_FILE_PIPE_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2808 [PPME_ITER_TASK_FILE_MEMFD_E] = {"task_file_memfd",
2809 EC_ITER | EC_FILE,
2810 EF_MODIFIES_STATE,
2811 3,
2812 {{"fd", PT_FD32, PF_DEC},
2813 {"path", PT_FSPATH, PF_NA},
2814 {"ino_num", PT_UINT64, PF_DEC}}},
2815 [PPME_ITER_TASK_FILE_MEMFD_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2816 [PPME_ITER_TASK_FILE_REGULAR_E] = {"task_file_regular",
2817 EC_ITER | EC_FILE,
2818 EF_MODIFIES_STATE,
2819 5,
2820 {{"fd", PT_FD32, PF_DEC},
2821 {"path", PT_FSPATH, PF_NA},
2822 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2823 {"mnt_id", PT_UINT32, PF_DEC},
2824 {"ino_num", PT_UINT64, PF_DEC}}},
2825 [PPME_ITER_TASK_FILE_REGULAR_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2826 [PPME_ITER_TASK_FILE_DIRECTORY_E] = {"task_file_directory",
2827 EC_ITER | EC_FILE,
2828 EF_MODIFIES_STATE,
2829 3,
2830 {{"fd", PT_FD32, PF_DEC},
2831 {"path", PT_FSPATH, PF_NA},
2832 {"ino_num", PT_UINT64, PF_DEC}}},
2833 [PPME_ITER_TASK_FILE_DIRECTORY_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2834
2835 [PPME_ITER_TASK_FILE_SOCKET_INET_E] = {"task_file_socket_inet",
2836 EC_ITER | EC_FILE,
2837 EF_MODIFIES_STATE,
2838 8,
2839 {{"fd", PT_FD32, PF_DEC},
2840 {"sk_type", PT_UINT16, PF_DEC},
2841 {"sk_proto", PT_UINT16, PF_DEC},
2842 {"local_ip", PT_IPV4ADDR, PF_HEX},
2843 {"local_port", PT_PORT, PF_HEX},
2844 {"remote_ip", PT_IPV4ADDR, PF_HEX},
2845 {"remote_port", PT_PORT, PF_HEX},
2846 {"ino_num", PT_UINT64, PF_DEC}}},
2847 [PPME_ITER_TASK_FILE_SOCKET_INET_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2848
2849 [PPME_ITER_TASK_FILE_SOCKET_INET6_E] = {"task_file_socket_inet6",
2850 EC_ITER | EC_FILE,
2851 EF_MODIFIES_STATE,
2852 8,
2853 {{"fd", PT_FD32, PF_DEC},
2854 {"sk_type", PT_UINT16, PF_DEC},
2855 {"sk_proto", PT_UINT16, PF_DEC},
2856 {"local_ip", PT_IPV6ADDR, PF_HEX},
2857 {"local_port", PT_PORT, PF_HEX},
2858 {"remote_ip", PT_IPV6ADDR, PF_HEX},
2859 {"remote_port", PT_PORT, PF_HEX},
2860 {"ino_num", PT_UINT64, PF_DEC}}},
2861 [PPME_ITER_TASK_FILE_SOCKET_INET6_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2862 [PPME_ITER_TASK_FILE_SOCKET_UNIX_E] = {"task_file_socket_unix",
2863 EC_ITER | EC_FILE,
2864 EF_MODIFIES_STATE,
2865 6,
2866 {{"fd", PT_FD32, PF_DEC},
2867 {"sk_type", PT_UINT16, PF_DEC},
2868 {"sk_proto", PT_UINT16, PF_DEC},
2869 {"sk_pointer", PT_UINT64, PF_NA},
2870 {"sun_path", PT_FSPATH, PF_NA},
2871 {"ino_num", PT_UINT64, PF_DEC}}},
2872 [PPME_ITER_TASK_FILE_SOCKET_UNIX_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2873 [PPME_ITER_TASK_FILE_SOCKET_NETLINK_E] = {"task_file_socket_netlink",
2874 EC_ITER | EC_FILE,
2875 EF_MODIFIES_STATE,
2876 4,
2877 {{"fd", PT_FD32, PF_DEC},
2878 {"sk_type", PT_UINT16, PF_DEC},
2879 {"sk_proto", PT_UINT16, PF_DEC},
2880 {"ino_num", PT_UINT64, PF_DEC}}},
2881 [PPME_ITER_TASK_FILE_SOCKET_NETLINK_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2882 [PPME_ITER_TASK_FILE_ANON_INODE_E] =
2883 {"task_file_anon_inode",
2884 EC_ITER | EC_FILE,
2885 EF_MODIFIES_STATE,
2886 4,
2887 {{"fd", PT_FD32, PF_DEC},
2888 {"fd_type", PT_FLAGS8, PF_DEC, anon_inode_fd_types},
2889 {"path",
2890 PT_FSPATH,
2891 PF_NA},
2892 {"ino_num", PT_UINT64, PF_DEC}}},
2893 [PPME_ITER_TASK_FILE_ANON_INODE_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2894 [PPME_SYSCALL_KEYCTL_E] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2895 [PPME_SYSCALL_KEYCTL_X] =
2896 {"keyctl",
2897 EC_OTHER | EC_SYSCALL,
2898 EF_NONE,
2899 6,
2900 {{"res", PT_ERRNO, PF_DEC},
2901 {"operation", PT_ENUMFLAGS32, PF_DEC, keyctl_operations},
2902 {"arg2", PT_DYN, PF_DEC, keyctl_dynamic_param, PPM_KEYCTL_IDX_MAX},
2903 {"arg3", PT_DYN, PF_DEC, keyctl_dynamic_param, PPM_KEYCTL_IDX_MAX},
2904 {"arg4", PT_DYN, PF_DEC, keyctl_dynamic_param, PPM_KEYCTL_IDX_MAX},
2905 {"arg5", PT_DYN, PF_DEC, keyctl_dynamic_param, PPM_KEYCTL_IDX_MAX}}},
2906}