1use falco_schema_derive::event_info;
2
3event_info! {
4 [PPME_GENERIC_E] = {"syscall",
5 EC_OTHER | EC_SYSCALL,
6 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
7 2,
8 {{"id", PT_SYSCALLID, PF_DEC}, {"native_id", PT_UINT16, PF_DEC}}},
9 [PPME_GENERIC_X] = {"syscall",
10 EC_OTHER | EC_SYSCALL,
11 EF_CONVERTER_MANAGED,
12 2,
13 {{"id", PT_SYSCALLID, PF_DEC}, {"native_id", PT_UINT16, PF_DEC}}},
14 [PPME_SYSCALL_OPEN_E] = {"open",
15 EC_FILE | EC_SYSCALL,
16 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
17 3,
18 {{"name", PT_FSPATH, PF_NA},
19 {"flags", PT_FLAGS32, PF_HEX, file_flags},
20 {"mode", PT_UINT32, PF_OCT}}},
21 [PPME_SYSCALL_OPEN_X] = {"open",
22 EC_FILE | EC_SYSCALL,
23 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
24 6,
25 {{"fd", PT_FD, PF_DEC},
26 {"name", PT_FSPATH, PF_NA},
27 {"flags", PT_FLAGS32, PF_HEX, file_flags},
28 {"mode", PT_UINT32, PF_OCT},
29 {"dev", PT_UINT32, PF_HEX},
30 {"ino", PT_UINT64, PF_DEC}}},
31 [PPME_SYSCALL_CLOSE_E] = {"close",
32 EC_IO_OTHER | EC_SYSCALL,
33 EF_OLD_VERSION | EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE |
34 EF_CONVERTER_MANAGED,
35 1,
36 {{"fd", PT_FD, PF_DEC}}},
37 [PPME_SYSCALL_CLOSE_X] = {"close",
38 EC_IO_OTHER | EC_SYSCALL,
39 EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE |
40 EF_CONVERTER_MANAGED,
41 2,
42 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}}},
43 [PPME_SYSCALL_READ_E] = {"read",
44 EC_IO_READ | EC_SYSCALL,
45 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
46 EF_CONVERTER_MANAGED,
47 2,
48 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
49 [PPME_SYSCALL_READ_X] = {"read",
50 EC_IO_READ | EC_SYSCALL,
51 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
52 4,
53 {{"res", PT_ERRNO, PF_DEC},
54 {"data", PT_BYTEBUF, PF_NA},
55 {"fd", PT_FD, PF_DEC},
56 {"size", PT_UINT32, PF_DEC}}},
57 [PPME_SYSCALL_WRITE_E] = {"write",
58 EC_IO_WRITE | EC_SYSCALL,
59 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
60 EF_CONVERTER_MANAGED,
61 2,
62 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
63 [PPME_SYSCALL_WRITE_X] = {"write",
64 EC_IO_WRITE | EC_SYSCALL,
65 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
66 4,
67 {{"res", PT_ERRNO, PF_DEC},
68 {"data", PT_BYTEBUF, PF_NA},
69 {"fd", PT_FD, PF_DEC},
70 {"size", PT_UINT32, PF_DEC}}},
71 [PPME_SYSCALL_BRK_1_E] = {"brk",
72 EC_MEMORY | EC_SYSCALL,
73 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
74 1,
75 {{"size", PT_UINT32, PF_DEC}}},
76 [PPME_SYSCALL_BRK_1_X] = {"brk",
77 EC_MEMORY | EC_SYSCALL,
78 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
79 1,
80 {{"res", PT_UINT64, PF_HEX}}},
81 [PPME_SYSCALL_EXECVE_8_E] = {"execve",
82 EC_PROCESS | EC_SYSCALL,
83 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
84 0},
85 [PPME_SYSCALL_EXECVE_8_X] = {"execve",
86 EC_PROCESS | EC_SYSCALL,
87 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
88 8,
89 {{"res", PT_ERRNO, PF_DEC},
90 {"exe", PT_CHARBUF, PF_NA},
91 {"args", PT_BYTEBUF, PF_NA},
92 {"tid", PT_PID, PF_DEC},
93 {"pid", PT_PID, PF_DEC},
94 {"ptid", PT_PID, PF_DEC},
95 {"cwd", PT_CHARBUF, PF_NA},
96 {"fdlimit", PT_UINT64, PF_DEC}}},
97 [PPME_SYSCALL_CLONE_11_E] = {"clone",
98 EC_PROCESS | EC_SYSCALL,
99 EF_OLD_VERSION | EF_MODIFIES_STATE,
100 0},
101 [PPME_SYSCALL_CLONE_11_X] = {"clone",
102 EC_PROCESS | EC_SYSCALL,
103 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
104 11,
105 {{"res", PT_PID, PF_DEC},
106 {"exe", PT_CHARBUF, PF_NA},
107 {"args", PT_BYTEBUF, PF_NA},
108 {"tid", PT_PID, PF_DEC},
109 {"pid", PT_PID, PF_DEC},
110 {"ptid", PT_PID, PF_DEC},
111 {"cwd", PT_CHARBUF, PF_NA},
112 {"fdlimit", PT_INT64, PF_DEC},
113 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
114 {"uid", PT_UINT32, PF_DEC},
115 {"gid", PT_UINT32, PF_DEC}}},
116 [PPME_PROCEXIT_E] = {"procexit",
117 EC_PROCESS | EC_TRACEPOINT,
118 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
119 0},
120 [PPME_PROCEXIT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
121 [PPME_SOCKET_SOCKET_E] = {"socket",
122 EC_NET | EC_SYSCALL,
123 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
124 EF_CONVERTER_MANAGED,
125 3,
126 {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
127 {"type", PT_UINT32, PF_DEC},
128 {"proto", PT_UINT32, PF_DEC}}},
129 [PPME_SOCKET_SOCKET_X] = {"socket",
130 EC_NET | EC_SYSCALL,
131 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
132 4,
133 {{"fd", PT_FD, PF_DEC},
134 {"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
135 {"type", PT_UINT32, PF_DEC},
136 {"proto", PT_UINT32, PF_DEC}}},
137 [PPME_SOCKET_BIND_E] = {"bind",
138 EC_NET | EC_SYSCALL,
139 EF_OLD_VERSION | EF_USES_FD | EF_MODIFIES_STATE |
140 EF_CONVERTER_MANAGED,
141 1,
142 {{"fd", PT_FD, PF_DEC}}},
143 [PPME_SOCKET_BIND_X] = {"bind",
144 EC_NET | EC_SYSCALL,
145 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
146 3,
147 {{"res", PT_ERRNO, PF_DEC},
148 {"addr", PT_SOCKADDR, PF_NA},
149 {"fd", PT_FD, PF_DEC}}},
150 [PPME_SOCKET_CONNECT_E] = {"connect",
151 EC_NET | EC_SYSCALL,
152 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
153 2,
154 {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA}}},
155 [PPME_SOCKET_CONNECT_X] = {"connect",
156 EC_NET | EC_SYSCALL,
157 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
158 4,
159 {{"res", PT_ERRNO, PF_DEC},
160 {"tuple", PT_SOCKTUPLE, PF_NA},
161 {"fd", PT_FD, PF_DEC},
162 {"addr", PT_SOCKADDR, PF_NA}}},
163 [PPME_SOCKET_LISTEN_E] = {"listen",
164 EC_NET | EC_SYSCALL,
165 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
166 2,
167 {{"fd", PT_FD, PF_DEC}, {"backlog", PT_INT32, PF_DEC}}},
168 [PPME_SOCKET_LISTEN_X] = {"listen",
169 EC_NET | EC_SYSCALL,
170 EF_USES_FD | EF_CONVERTER_MANAGED,
171 3,
172 {{"res", PT_ERRNO, PF_DEC},
173 {"fd", PT_FD, PF_DEC},
174 {"backlog", PT_INT32, PF_DEC}}},
175 [PPME_SOCKET_ACCEPT_E] = {"accept",
176 EC_NET | EC_SYSCALL,
177 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
178 0},
179 [PPME_SOCKET_ACCEPT_X] = {"accept",
180 EC_NET | EC_SYSCALL,
181 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
182 EF_CONVERTER_MANAGED,
183 3,
184 {{"fd", PT_FD, PF_DEC},
185 {"tuple", PT_SOCKTUPLE, PF_NA},
186 {"queuepct", PT_UINT8, PF_DEC}}},
187 [PPME_SOCKET_SEND_E] = {"send",
188 EC_IO_WRITE | EC_SYSCALL,
189 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
190 EF_CONVERTER_MANAGED,
191 2,
192 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
193 [PPME_SOCKET_SEND_X] = {"send",
194 EC_IO_WRITE | EC_SYSCALL,
195 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
196 5,
197 {{"res", PT_ERRNO, PF_DEC},
198 {"data", PT_BYTEBUF, PF_NA},
199 {"fd", PT_FD, PF_DEC},
200 {"size", PT_UINT32, PF_DEC},
201 {"tuple", PT_SOCKTUPLE, PF_NA}}},
202 [PPME_SOCKET_SENDTO_E] = {"sendto",
203 EC_IO_WRITE | EC_SYSCALL,
204 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
205 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
206 3,
207 {{"fd", PT_FD, PF_DEC},
208 {"size", PT_UINT32, PF_DEC},
209 {"tuple", PT_SOCKTUPLE, PF_NA}}},
210 [PPME_SOCKET_SENDTO_X] = {"sendto",
211 EC_IO_WRITE | EC_SYSCALL,
212 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE |
213 EF_CONVERTER_MANAGED,
214 5,
215 {{"res", PT_ERRNO, PF_DEC},
216 {"data", PT_BYTEBUF, PF_NA},
217 {"fd", PT_FD, PF_DEC},
218 {"size", PT_UINT32, PF_DEC},
219 {"tuple", PT_SOCKTUPLE, PF_NA}}},
220 [PPME_SOCKET_RECV_E] = {"recv",
221 EC_IO_READ | EC_SYSCALL,
222 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
223 EF_CONVERTER_MANAGED,
224 2,
225 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
226 [PPME_SOCKET_RECV_X] = {"recv",
227 EC_IO_READ | EC_SYSCALL,
228 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
229 5,
230 {{"res", PT_ERRNO, PF_DEC},
231 {"data", PT_BYTEBUF, PF_NA},
232 {"fd", PT_FD, PF_DEC},
233 {"size", PT_UINT32, PF_DEC},
234 {"tuple", PT_SOCKTUPLE, PF_NA}}},
235 [PPME_SOCKET_RECVFROM_E] = {"recvfrom",
236 EC_IO_READ | EC_SYSCALL,
237 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
238 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
239 2,
240 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
241 [PPME_SOCKET_RECVFROM_X] = {"recvfrom",
242 EC_IO_READ | EC_SYSCALL,
243 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE |
244 EF_CONVERTER_MANAGED,
245 5,
246 {{"res", PT_ERRNO, PF_DEC},
247 {"data", PT_BYTEBUF, PF_NA},
248 {"tuple", PT_SOCKTUPLE, PF_NA},
249 {"fd", PT_FD, PF_DEC},
250 {"size", PT_UINT32, PF_DEC}}},
251 [PPME_SOCKET_SHUTDOWN_E] = {"shutdown",
252 EC_NET | EC_SYSCALL,
253 EF_OLD_VERSION | EF_USES_FD | EF_MODIFIES_STATE |
254 EF_CONVERTER_MANAGED,
255 2,
256 {{"fd", PT_FD, PF_DEC},
257 {"how", PT_ENUMFLAGS8, PF_HEX, shutdown_how}}},
258 [PPME_SOCKET_SHUTDOWN_X] = {"shutdown",
259 EC_NET | EC_SYSCALL,
260 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
261 3,
262 {{"res", PT_ERRNO, PF_DEC},
263 {"fd", PT_FD, PF_DEC},
264 {"how", PT_ENUMFLAGS8, PF_HEX, shutdown_how}}},
265 [PPME_SOCKET_GETSOCKNAME_E] = {"getsockname", EC_NET | EC_SYSCALL, EF_OLD_VERSION, 0},
266 [PPME_SOCKET_GETSOCKNAME_X] = {"getsockname", EC_NET | EC_SYSCALL, EF_NONE, 0},
267 [PPME_SOCKET_GETPEERNAME_E] = {"getpeername", EC_NET | EC_SYSCALL, EF_OLD_VERSION, 0},
268 [PPME_SOCKET_GETPEERNAME_X] = {"getpeername", EC_NET | EC_SYSCALL, EF_NONE, 0},
269 [PPME_SOCKET_SOCKETPAIR_E] = {"socketpair",
270 EC_IPC | EC_SYSCALL,
271 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
272 EF_CONVERTER_MANAGED,
273 3,
274 {{"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
275 {"type", PT_UINT32, PF_DEC},
276 {"proto", PT_UINT32, PF_DEC}}},
277 [PPME_SOCKET_SOCKETPAIR_X] = {"socketpair",
278 EC_IPC | EC_SYSCALL,
279 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
280 8,
281 {{"res", PT_ERRNO, PF_DEC},
282 {"fd1", PT_FD, PF_DEC},
283 {"fd2", PT_FD, PF_DEC},
284 {"source", PT_UINT64, PF_HEX},
285 {"peer", PT_UINT64, PF_HEX},
286 {"domain", PT_ENUMFLAGS32, PF_DEC, socket_families},
287 {"type", PT_UINT32, PF_DEC},
288 {"proto", PT_UINT32, PF_DEC}}},
289 [PPME_SOCKET_SETSOCKOPT_E] = {"setsockopt", EC_NET | EC_SYSCALL, EF_OLD_VERSION, 0},
290 [PPME_SOCKET_SETSOCKOPT_X] =
291 {"setsockopt",
292 EC_NET | EC_SYSCALL,
293 EF_USES_FD,
294 6,
295 {{"res", PT_ERRNO, PF_DEC},
296 {"fd", PT_FD, PF_DEC},
297 {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels},
298 {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options},
299 {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX},
300 {"optlen", PT_UINT32, PF_DEC}}},
301 [PPME_SOCKET_GETSOCKOPT_E] = {"getsockopt",
302 EC_NET | EC_SYSCALL,
303 EF_OLD_VERSION | EF_MODIFIES_STATE,
304 0},
305 [PPME_SOCKET_GETSOCKOPT_X] =
306 {"getsockopt",
307 EC_NET | EC_SYSCALL,
308 EF_USES_FD | EF_MODIFIES_STATE,
309 6,
310 {{"res", PT_ERRNO, PF_DEC},
311 {"fd", PT_FD, PF_DEC},
312 {"level", PT_ENUMFLAGS8, PF_DEC, sockopt_levels},
313 {"optname", PT_ENUMFLAGS8, PF_DEC, sockopt_options},
314 {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX},
315 {"optlen", PT_UINT32, PF_DEC}}},
316 [PPME_SOCKET_SENDMSG_E] = {"sendmsg",
317 EC_IO_WRITE | EC_SYSCALL,
318 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
319 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
320 3,
321 {{"fd", PT_FD, PF_DEC},
322 {"size", PT_UINT32, PF_DEC},
323 {"tuple", PT_SOCKTUPLE, PF_NA}}},
324 [PPME_SOCKET_SENDMSG_X] = {"sendmsg",
325 EC_IO_WRITE | EC_SYSCALL,
326 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE |
327 EF_CONVERTER_MANAGED,
328 5,
329 {{"res", PT_ERRNO, PF_DEC},
330 {"data", PT_BYTEBUF, PF_NA},
331 {"fd", PT_FD, PF_DEC},
332 {"size", PT_UINT32, PF_DEC},
333 {"tuple", PT_SOCKTUPLE, PF_NA}}},
334 [PPME_SOCKET_SENDMMSG_E] = {"sendmmsg", EC_IO_WRITE | EC_SYSCALL, EF_OLD_VERSION, 0},
335 [PPME_SOCKET_SENDMMSG_X] = {"sendmmsg",
336 EC_IO_WRITE | EC_SYSCALL,
337 EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE |
338 EF_CONVERTER_MANAGED,
339 5,
340 {{"res", PT_ERRNO, PF_DEC},
341 {"fd", PT_FD, PF_DEC},
342 {"size", PT_UINT32, PF_DEC},
343 {"data", PT_BYTEBUF, PF_NA},
344 {"tuple", PT_SOCKTUPLE, PF_NA}}},
345 [PPME_SOCKET_RECVMSG_E] = {"recvmsg",
346 EC_IO_READ | EC_SYSCALL,
347 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
348 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
349 1,
350 {{"fd", PT_FD, PF_DEC}}},
351 [PPME_SOCKET_RECVMSG_X] = {"recvmsg",
352 EC_IO_READ | EC_SYSCALL,
353 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE |
354 EF_CONVERTER_MANAGED,
355 6,
356 {{"res", PT_ERRNO, PF_DEC},
357 {"size", PT_UINT32, PF_DEC},
358 {"data", PT_BYTEBUF, PF_NA},
359 {"tuple", PT_SOCKTUPLE, PF_NA},
360 {"msgcontrol", PT_BYTEBUF, PF_NA},
361 {"fd", PT_FD, PF_DEC}}},
362 [PPME_SOCKET_RECVMMSG_E] = {"recvmmsg", EC_IO_READ | EC_SYSCALL, EF_OLD_VERSION, 0},
363 [PPME_SOCKET_RECVMMSG_X] = {"recvmmsg",
364 EC_IO_READ | EC_SYSCALL,
365 EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE |
366 EF_CONVERTER_MANAGED,
367 6,
368 {{"res", PT_ERRNO, PF_DEC},
369 {"fd", PT_FD, PF_DEC},
370 {"size", PT_UINT32, PF_DEC},
371 {"data", PT_BYTEBUF, PF_NA},
372 {"tuple", PT_SOCKTUPLE, PF_NA},
373 {"msgcontrol", PT_BYTEBUF, PF_NA}}},
374 [PPME_SOCKET_ACCEPT4_E] = {"accept",
375 EC_NET | EC_SYSCALL,
376 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
377 EF_CONVERTER_MANAGED,
378 1,
379 {{"flags", PT_INT32, PF_HEX}}},
380 [PPME_SOCKET_ACCEPT4_X] = {"accept",
381 EC_NET | EC_SYSCALL,
382 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
383 EF_CONVERTER_MANAGED,
384 3,
385 {{"fd", PT_FD, PF_DEC},
386 {"tuple", PT_SOCKTUPLE, PF_NA},
387 {"queuepct", PT_UINT8, PF_DEC}}},
388 [PPME_SYSCALL_CREAT_E] = {"creat",
389 EC_FILE | EC_SYSCALL,
390 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
391 2,
392 {{"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT}}},
393 [PPME_SYSCALL_CREAT_X] = {"creat",
394 EC_FILE | EC_SYSCALL,
395 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
396 6,
397 {{"fd", PT_FD, PF_DEC},
398 {"name", PT_FSPATH, PF_NA},
399 {"mode", PT_UINT32, PF_OCT},
400 {"dev", PT_UINT32, PF_HEX},
401 {"ino", PT_UINT64, PF_DEC},
402 {"creat_flags", PT_FLAGS16, PF_HEX, creat_flags}}},
403 [PPME_SYSCALL_PIPE_E] = {"pipe",
404 EC_IPC | EC_SYSCALL,
405 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
406 0},
407 [PPME_SYSCALL_PIPE_X] = {"pipe",
408 EC_IPC | EC_SYSCALL,
409 EF_CREATES_FD | EF_MODIFIES_STATE,
410 4,
411 {{"res", PT_ERRNO, PF_DEC},
412 {"fd1", PT_FD, PF_DEC},
413 {"fd2", PT_FD, PF_DEC},
414 {"ino", PT_UINT64, PF_DEC}}},
415 [PPME_SYSCALL_EVENTFD_E] = {"eventfd",
416 EC_IPC | EC_SYSCALL,
417 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
418 EF_CONVERTER_MANAGED,
419 2,
420 {{"initval", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX}}},
421 [PPME_SYSCALL_EVENTFD_X] = {"eventfd",
422 EC_IPC | EC_SYSCALL,
423 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
424 3,
425 {{"res", PT_FD, PF_DEC},
426 {"initval", PT_UINT64, PF_DEC},
427 {"flags", PT_UINT32, PF_HEX}}},
428 [PPME_SYSCALL_FUTEX_E] = {"futex",
429 EC_IPC | EC_SYSCALL,
430 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
431 3,
432 {{"addr", PT_UINT64, PF_HEX},
433 {"op", PT_FLAGS16, PF_HEX, futex_operations},
434 {"val", PT_UINT64, PF_DEC}}},
435 [PPME_SYSCALL_FUTEX_X] = {"futex",
436 EC_IPC | EC_SYSCALL,
437 EF_CONVERTER_MANAGED,
438 4,
439 {{"res", PT_ERRNO, PF_DEC},
440 {"addr", PT_UINT64, PF_HEX},
441 {"op", PT_FLAGS16, PF_HEX, futex_operations},
442 {"val", PT_UINT64, PF_DEC}}},
443 [PPME_SYSCALL_STAT_E] = {"stat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
444 [PPME_SYSCALL_STAT_X] = {"stat",
445 EC_FILE | EC_SYSCALL,
446 EF_NONE,
447 2,
448 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
449 [PPME_SYSCALL_LSTAT_E] = {"lstat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
450 [PPME_SYSCALL_LSTAT_X] = {"lstat",
451 EC_FILE | EC_SYSCALL,
452 EF_NONE,
453 2,
454 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
455 [PPME_SYSCALL_FSTAT_E] = {"fstat",
456 EC_FILE | EC_SYSCALL,
457 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
458 1,
459 {{"fd", PT_FD, PF_NA}}},
460 [PPME_SYSCALL_FSTAT_X] = {"fstat",
461 EC_FILE | EC_SYSCALL,
462 EF_USES_FD | EF_CONVERTER_MANAGED,
463 2,
464 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_NA}}},
465 [PPME_SYSCALL_STAT64_E] = {"stat64", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
466 [PPME_SYSCALL_STAT64_X] = {"stat64",
467 EC_FILE | EC_SYSCALL,
468 EF_NONE,
469 2,
470 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
471 [PPME_SYSCALL_LSTAT64_E] = {"lstat64", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
472 [PPME_SYSCALL_LSTAT64_X] = {"lstat64",
473 EC_FILE | EC_SYSCALL,
474 EF_NONE,
475 2,
476 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
477 [PPME_SYSCALL_FSTAT64_E] = {"fstat64",
478 EC_FILE | EC_SYSCALL,
479 EF_OLD_VERSION | EF_USES_FD,
480 1,
481 {{"fd", PT_FD, PF_NA}}},
482 [PPME_SYSCALL_FSTAT64_X] =
483 {"fstat64", EC_FILE | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
484 [PPME_SYSCALL_EPOLLWAIT_E] = {"epoll_wait",
485 EC_WAIT | EC_SYSCALL,
486 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
487 1,
488 {{"maxevents", PT_ERRNO, PF_DEC}}},
489 [PPME_SYSCALL_EPOLLWAIT_X] = {"epoll_wait",
490 EC_WAIT | EC_SYSCALL,
491 EF_WAITS | EF_CONVERTER_MANAGED,
492 2,
493 {{"res", PT_ERRNO, PF_DEC}, {"maxevents", PT_ERRNO, PF_DEC}}},
494 [PPME_SYSCALL_POLL_E] = {"poll",
495 EC_WAIT | EC_SYSCALL,
496 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
497 2,
498 {{"fds", PT_FDLIST, PF_DEC}, {"timeout", PT_INT64, PF_DEC}}},
499 [PPME_SYSCALL_POLL_X] = {"poll",
500 EC_WAIT | EC_SYSCALL,
501 EF_WAITS | EF_CONVERTER_MANAGED,
502 3,
503 {{"res", PT_ERRNO, PF_DEC},
504 {"fds", PT_FDLIST, PF_DEC},
505 {"timeout", PT_INT64, PF_DEC}}},
506 [PPME_SYSCALL_SELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_OLD_VERSION | EF_WAITS, 0},
507 [PPME_SYSCALL_SELECT_X] =
508 {"select", EC_WAIT | EC_SYSCALL, EF_WAITS, 1, {{"res", PT_ERRNO, PF_DEC}}},
509 [PPME_SYSCALL_NEWSELECT_E] = {"select", EC_WAIT | EC_SYSCALL, EF_OLD_VERSION | EF_WAITS, 0},
510 [PPME_SYSCALL_NEWSELECT_X] = {"select",
511 EC_WAIT | EC_SYSCALL,
512 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
513 1,
514 {{"res", PT_ERRNO, PF_DEC}}},
515 [PPME_SYSCALL_LSEEK_E] = {"lseek",
516 EC_FILE | EC_SYSCALL,
517 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
518 3,
519 {{"fd", PT_FD, PF_DEC},
520 {"offset", PT_UINT64, PF_DEC},
521 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
522 [PPME_SYSCALL_LSEEK_X] = {"lseek",
523 EC_FILE | EC_SYSCALL,
524 EF_USES_FD | EF_CONVERTER_MANAGED,
525 4,
526 {{"res", PT_ERRNO, PF_DEC},
527 {"fd", PT_FD, PF_DEC},
528 {"offset", PT_UINT64, PF_DEC},
529 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
530 [PPME_SYSCALL_LLSEEK_E] = {"llseek",
531 EC_FILE | EC_SYSCALL,
532 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
533 3,
534 {{"fd", PT_FD, PF_DEC},
535 {"offset", PT_UINT64, PF_DEC},
536 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
537 [PPME_SYSCALL_LLSEEK_X] = {"llseek",
538 EC_FILE | EC_SYSCALL,
539 EF_USES_FD | EF_CONVERTER_MANAGED,
540 4,
541 {{"res", PT_ERRNO, PF_DEC},
542 {"fd", PT_FD, PF_DEC},
543 {"offset", PT_UINT64, PF_DEC},
544 {"whence", PT_ENUMFLAGS8, PF_DEC, lseek_whence}}},
545 [PPME_SYSCALL_IOCTL_2_E] = {"ioctl",
546 EC_IO_OTHER | EC_SYSCALL,
547 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
548 2,
549 {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX}}},
550 [PPME_SYSCALL_IOCTL_2_X] = {"ioctl",
551 EC_IO_OTHER | EC_SYSCALL,
552 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
553 1,
554 {{"res", PT_ERRNO, PF_DEC}}},
555 [PPME_SYSCALL_GETCWD_E] = {"getcwd", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
556 [PPME_SYSCALL_GETCWD_X] = {"getcwd",
559 EC_FILE | EC_SYSCALL,
560 EF_NONE,
561 2,
562 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA}}},
563 [PPME_SYSCALL_CHDIR_E] = {"chdir",
566 EC_FILE | EC_SYSCALL,
567 EF_OLD_VERSION | EF_MODIFIES_STATE,
568 0},
569 [PPME_SYSCALL_CHDIR_X] = {"chdir",
570 EC_FILE | EC_SYSCALL,
571 EF_MODIFIES_STATE,
572 2,
573 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA}}},
574 [PPME_SYSCALL_FCHDIR_E] = {"fchdir",
575 EC_FILE | EC_SYSCALL,
576 EF_OLD_VERSION | EF_USES_FD | EF_MODIFIES_STATE |
577 EF_CONVERTER_MANAGED,
578 1,
579 {{"fd", PT_FD, PF_NA}}},
580 [PPME_SYSCALL_FCHDIR_X] = {"fchdir",
581 EC_FILE | EC_SYSCALL,
582 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
583 2,
584 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_NA}}},
585 [PPME_SYSCALL_MKDIR_E] = {"mkdir",
586 EC_FILE | EC_SYSCALL,
587 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
588 2,
589 {{"path", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_HEX}}},
590 [PPME_SYSCALL_MKDIR_X] = {"mkdir",
591 EC_FILE | EC_SYSCALL,
592 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
593 1,
594 {{"res", PT_ERRNO, PF_DEC}}},
595 [PPME_SYSCALL_RMDIR_E] = {"rmdir",
596 EC_FILE | EC_SYSCALL,
597 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
598 1,
599 {{"path", PT_FSPATH, PF_NA}}},
600 [PPME_SYSCALL_RMDIR_X] = {"rmdir",
601 EC_FILE | EC_SYSCALL,
602 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
603 1,
604 {{"res", PT_ERRNO, PF_DEC}}},
605 [PPME_SYSCALL_OPENAT_E] = {"openat",
606 EC_FILE | EC_SYSCALL,
607 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
608 EF_CONVERTER_MANAGED,
609 4,
610 {{"dirfd", PT_FD, PF_DEC},
611 {"name", PT_CHARBUF, PF_NA},
612 {"flags", PT_FLAGS32, PF_HEX, file_flags},
613 {"mode", PT_UINT32, PF_OCT}}},
614 [PPME_SYSCALL_OPENAT_X] = {"openat",
615 EC_FILE | EC_SYSCALL,
616 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
617 EF_CONVERTER_MANAGED,
618 1,
619 {{"fd", PT_FD, PF_DEC}}},
620 [PPME_SYSCALL_LINK_E] = {"link",
621 EC_FILE | EC_SYSCALL,
622 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
623 2,
624 {{"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA}}},
625 [PPME_SYSCALL_LINK_X] = {"link",
626 EC_FILE | EC_SYSCALL,
627 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
628 1,
629 {{"res", PT_ERRNO, PF_DEC}}},
630 [PPME_SYSCALL_LINKAT_E] = {"linkat",
631 EC_FILE | EC_SYSCALL,
632 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
633 4,
634 {{"olddir", PT_FD, PF_DEC},
635 {"oldpath", PT_CHARBUF, PF_NA},
636 {"newdir", PT_FD, PF_DEC},
637 {"newpath", PT_CHARBUF, PF_NA}}},
638 [PPME_SYSCALL_LINKAT_X] = {"linkat",
639 EC_FILE | EC_SYSCALL,
640 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
641 1,
642 {{"res", PT_ERRNO, PF_DEC}}},
643 [PPME_SYSCALL_UNLINK_E] = {"unlink",
644 EC_FILE | EC_SYSCALL,
645 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
646 1,
647 {{"path", PT_FSPATH, PF_NA}}},
648 [PPME_SYSCALL_UNLINK_X] = {"unlink",
649 EC_FILE | EC_SYSCALL,
650 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
651 1,
652 {{"res", PT_ERRNO, PF_DEC}}},
653 [PPME_SYSCALL_UNLINKAT_E] = {"unlinkat",
654 EC_FILE | EC_SYSCALL,
655 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
656 2,
657 {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA}}},
658 [PPME_SYSCALL_UNLINKAT_X] = {"unlinkat",
659 EC_FILE | EC_SYSCALL,
660 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
661 1,
662 {{"res", PT_ERRNO, PF_DEC}}},
663 [PPME_SYSCALL_PREAD_E] =
664 {"pread",
665 EC_IO_READ | EC_SYSCALL,
666 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
667 3,
668 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
669 [PPME_SYSCALL_PREAD_X] = {"pread",
670 EC_IO_READ | EC_SYSCALL,
671 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
672 5,
673 {{"res", PT_ERRNO, PF_DEC},
674 {"data", PT_BYTEBUF, PF_NA},
675 {"fd", PT_FD, PF_DEC},
676 {"size", PT_UINT32, PF_DEC},
677 {"pos", PT_UINT64, PF_DEC}}},
678 [PPME_SYSCALL_PWRITE_E] =
679 {"pwrite",
680 EC_IO_WRITE | EC_SYSCALL,
681 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
682 3,
683 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
684 [PPME_SYSCALL_PWRITE_X] = {"pwrite",
685 EC_IO_WRITE | EC_SYSCALL,
686 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
687 5,
688 {{"res", PT_ERRNO, PF_DEC},
689 {"data", PT_BYTEBUF, PF_NA},
690 {"fd", PT_FD, PF_DEC},
691 {"size", PT_UINT32, PF_DEC},
692 {"pos", PT_UINT64, PF_DEC}}},
693 [PPME_SYSCALL_READV_E] = {"readv",
694 EC_IO_READ | EC_SYSCALL,
695 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
696 EF_CONVERTER_MANAGED,
697 1,
698 {{"fd", PT_FD, PF_DEC}}},
699 [PPME_SYSCALL_READV_X] = {"readv",
700 EC_IO_READ | EC_SYSCALL,
701 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
702 4,
703 {{"res", PT_ERRNO, PF_DEC},
704 {"size", PT_UINT32, PF_DEC},
705 {"data", PT_BYTEBUF, PF_NA},
706 {"fd", PT_FD, PF_DEC}}},
707 [PPME_SYSCALL_WRITEV_E] = {"writev",
708 EC_IO_WRITE | EC_SYSCALL,
709 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD |
710 EF_CONVERTER_MANAGED,
711 2,
712 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
713 [PPME_SYSCALL_WRITEV_X] = {"writev",
714 EC_IO_WRITE | EC_SYSCALL,
715 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
716 4,
717 {{"res", PT_ERRNO, PF_DEC},
718 {"data", PT_BYTEBUF, PF_NA},
719 {"fd", PT_FD, PF_DEC},
720 {"size", PT_UINT32, PF_DEC}}},
721 [PPME_SYSCALL_PREADV_E] = {"preadv",
722 EC_IO_READ | EC_SYSCALL,
723 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
724 EF_CONVERTER_MANAGED,
725 2,
726 {{"fd", PT_FD, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
727 [PPME_SYSCALL_PREADV_X] = {"preadv",
728 EC_IO_READ | EC_SYSCALL,
729 EF_USES_FD | EF_READS_FROM_FD | EF_CONVERTER_MANAGED,
730 5,
731 {{"res", PT_ERRNO, PF_DEC},
732 {"size", PT_UINT32, PF_DEC},
733 {"data", PT_BYTEBUF, PF_NA},
734 {"fd", PT_FD, PF_DEC},
735 {"pos", PT_UINT64, PF_DEC}}},
736 [PPME_SYSCALL_PWRITEV_E] =
737 {"pwritev",
738 EC_IO_WRITE | EC_SYSCALL,
739 EF_OLD_VERSION | EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
740 3,
741 {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC}}},
742 [PPME_SYSCALL_PWRITEV_X] = {"pwritev",
743 EC_IO_WRITE | EC_SYSCALL,
744 EF_USES_FD | EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
745 5,
746 {{"res", PT_ERRNO, PF_DEC},
747 {"data", PT_BYTEBUF, PF_NA},
748 {"fd", PT_FD, PF_DEC},
749 {"size", PT_UINT32, PF_DEC},
750 {"pos", PT_UINT64, PF_DEC}}},
751 [PPME_SYSCALL_DUP_E] = {"dup",
752 EC_IO_OTHER | EC_SYSCALL,
753 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE |
754 EF_CONVERTER_MANAGED,
755 1,
756 {{"fd", PT_FD, PF_DEC}}},
757 [PPME_SYSCALL_DUP_X] = {"dup",
758 EC_IO_OTHER | EC_SYSCALL,
759 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE |
760 EF_CONVERTER_MANAGED,
761 1,
762 {{"res", PT_FD, PF_DEC}}},
763 [PPME_SYSCALL_SIGNALFD_E] =
764 {"signalfd",
765 EC_SIGNAL | EC_SYSCALL,
766 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
767 3,
768 {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}, {"flags", PT_UINT8, PF_HEX}}},
769 [PPME_SYSCALL_SIGNALFD_X] = {"signalfd",
770 EC_SIGNAL | EC_SYSCALL,
771 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
772 4,
773 {{"res", PT_FD, PF_DEC},
774 {"fd", PT_FD, PF_DEC},
775 {"mask", PT_UINT32, PF_HEX},
776 {"flags", PT_UINT8, PF_HEX}}},
777 [PPME_SYSCALL_KILL_E] = {"kill",
778 EC_SIGNAL | EC_SYSCALL,
779 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
780 2,
781 {{"pid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}}},
782 [PPME_SYSCALL_KILL_X] = {"kill",
783 EC_SIGNAL | EC_SYSCALL,
784 EF_CONVERTER_MANAGED,
785 3,
786 {{"res", PT_ERRNO, PF_DEC},
787 {"pid", PT_PID, PF_DEC},
788 {"sig", PT_SIGTYPE, PF_DEC}}},
789 [PPME_SYSCALL_TKILL_E] = {"tkill",
790 EC_SIGNAL | EC_SYSCALL,
791 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
792 2,
793 {{"tid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC}}},
794 [PPME_SYSCALL_TKILL_X] = {"tkill",
795 EC_SIGNAL | EC_SYSCALL,
796 EF_CONVERTER_MANAGED,
797 3,
798 {{"res", PT_ERRNO, PF_DEC},
799 {"tid", PT_PID, PF_DEC},
800 {"sig", PT_SIGTYPE, PF_DEC}}},
801 [PPME_SYSCALL_TGKILL_E] = {"tgkill",
802 EC_SIGNAL | EC_SYSCALL,
803 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
804 3,
805 {{"pid", PT_PID, PF_DEC},
806 {"tid", PT_PID, PF_DEC},
807 {"sig", PT_SIGTYPE, PF_DEC}}},
808 [PPME_SYSCALL_TGKILL_X] = {"tgkill",
809 EC_SIGNAL | EC_SYSCALL,
810 EF_CONVERTER_MANAGED,
811 4,
812 {{"res", PT_ERRNO, PF_DEC},
813 {"pid", PT_PID, PF_DEC},
814 {"tid", PT_PID, PF_DEC},
815 {"sig", PT_SIGTYPE, PF_DEC}}},
816 [PPME_SYSCALL_NANOSLEEP_E] = {"nanosleep",
817 EC_SLEEP | EC_SYSCALL,
818 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
819 1,
820 {{"interval", PT_RELTIME, PF_DEC}}},
821 [PPME_SYSCALL_NANOSLEEP_X] = {"nanosleep",
822 EC_SLEEP | EC_SYSCALL,
823 EF_WAITS | EF_CONVERTER_MANAGED,
824 2,
825 {{"res", PT_ERRNO, PF_DEC},
826 {"interval", PT_RELTIME, PF_DEC}}},
827 [PPME_SYSCALL_TIMERFD_CREATE_E] = {"timerfd_create",
828 EC_TIME | EC_SYSCALL,
829 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
830 EF_CONVERTER_MANAGED,
831 2,
832 {{"clockid", PT_UINT8, PF_DEC},
833 {"flags", PT_UINT8, PF_HEX}}},
834 [PPME_SYSCALL_TIMERFD_CREATE_X] = {"timerfd_create",
835 EC_TIME | EC_SYSCALL,
836 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
837 3,
838 {{"res", PT_FD, PF_DEC},
839 {"clockid", PT_UINT8, PF_DEC},
840 {"flags", PT_UINT8, PF_HEX}}},
841 [PPME_SYSCALL_INOTIFY_INIT_E] = {"inotify_init",
842 EC_IPC | EC_SYSCALL,
843 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
844 EF_CONVERTER_MANAGED,
845 1,
846 {{"flags", PT_UINT8, PF_HEX}}},
847 [PPME_SYSCALL_INOTIFY_INIT_X] = {"inotify_init",
848 EC_IPC | EC_SYSCALL,
849 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
850 2,
851 {{"res", PT_FD, PF_DEC}, {"flags", PT_UINT8, PF_HEX}}},
852 [PPME_SYSCALL_GETRLIMIT_E] = {"getrlimit",
853 EC_PROCESS | EC_SYSCALL,
854 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
855 1,
856 {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
857 [PPME_SYSCALL_GETRLIMIT_X] = {"getrlimit",
858 EC_PROCESS | EC_SYSCALL,
859 EF_CONVERTER_MANAGED,
860 4,
861 {{"res", PT_ERRNO, PF_DEC},
862 {"cur", PT_INT64, PF_DEC},
863 {"max", PT_INT64, PF_DEC},
864 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
865 [PPME_SYSCALL_SETRLIMIT_E] = {"setrlimit",
866 EC_PROCESS | EC_SYSCALL,
867 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
868 1,
869 {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
870 [PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit",
871 EC_PROCESS | EC_SYSCALL,
872 EF_CONVERTER_MANAGED,
873 4,
874 {{"res", PT_ERRNO, PF_DEC},
875 {"cur", PT_INT64, PF_DEC},
876 {"max", PT_INT64, PF_DEC},
877 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
878 [PPME_SYSCALL_PRLIMIT_E] = {"prlimit",
879 EC_PROCESS | EC_SYSCALL,
880 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
881 2,
882 {{"pid", PT_PID, PF_DEC},
883 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
884 [PPME_SYSCALL_PRLIMIT_X] = {"prlimit",
885 EC_PROCESS | EC_SYSCALL,
886 EF_CONVERTER_MANAGED,
887 7,
888 {{"res", PT_ERRNO, PF_DEC},
889 {"newcur", PT_INT64, PF_DEC},
890 {"newmax", PT_INT64, PF_DEC},
891 {"oldcur", PT_INT64, PF_DEC},
892 {"oldmax", PT_INT64, PF_DEC},
893 {"pid", PT_INT64, PF_DEC},
894 {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
895 [PPME_SCHEDSWITCH_1_E] = {"switch",
896 EC_SCHEDULER | EC_TRACEPOINT,
897 EF_OLD_VERSION | EF_SKIPPARSERESET | EF_CONVERTER_MANAGED,
898 1,
899 {{"next", PT_PID, PF_DEC}}},
900 [PPME_SCHEDSWITCH_1_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
901 [PPME_DROP_E] = {"drop",
902 EC_INTERNAL | EC_METAEVENT,
903 EF_SKIPPARSERESET,
904 1,
905 {{"ratio", PT_UINT32, PF_DEC}}},
906 [PPME_DROP_X] = {"drop",
907 EC_INTERNAL | EC_METAEVENT,
908 EF_SKIPPARSERESET,
909 1,
910 {{"ratio", PT_UINT32, PF_DEC}}},
911 [PPME_SYSCALL_FCNTL_E] = {"fcntl",
912 EC_IO_OTHER | EC_SYSCALL,
913 EF_OLD_VERSION | EF_USES_FD | EF_MODIFIES_STATE |
914 EF_CONVERTER_MANAGED,
915 2,
916 {{"fd", PT_FD, PF_DEC},
917 {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands}}},
918 [PPME_SYSCALL_FCNTL_X] = {"fcntl",
919 EC_IO_OTHER | EC_SYSCALL,
920 EF_USES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
921 3,
922 {{"res", PT_FD, PF_DEC},
923 {"fd", PT_FD, PF_DEC},
924 {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands}}},
925 [PPME_SCHEDSWITCH_6_E] =
926 {"switch",
927 EC_SCHEDULER | EC_TRACEPOINT,
928 EF_NONE,
929 6,
930 {{"next", PT_PID, PF_DEC},
931 {"pgft_maj", PT_UINT64, PF_DEC},
932 {"pgft_min", PT_UINT64, PF_DEC},
933 {"vm_size", PT_UINT32, PF_DEC},
934 {"vm_rss", PT_UINT32, PF_DEC},
935 {"vm_swap", PT_UINT32, PF_DEC}}},
936 [PPME_SCHEDSWITCH_6_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
937 [PPME_SYSCALL_EXECVE_13_E] = {"execve",
938 EC_PROCESS | EC_SYSCALL,
939 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
940 0},
941 [PPME_SYSCALL_EXECVE_13_X] = {"execve",
942 EC_PROCESS | EC_SYSCALL,
943 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
944 13,
945 {{"res", PT_ERRNO, PF_DEC},
946 {"exe", PT_CHARBUF, PF_NA},
947 {"args", PT_BYTEBUF, PF_NA},
948 {"tid", PT_PID, PF_DEC},
949 {"pid", PT_PID, PF_DEC},
950 {"ptid", PT_PID, PF_DEC},
951 {"cwd", PT_CHARBUF, PF_NA},
952 {"fdlimit", PT_UINT64, PF_DEC},
953 {"pgft_maj", PT_UINT64, PF_DEC},
954 {"pgft_min", PT_UINT64, PF_DEC},
955 {"vm_size", PT_UINT32, PF_DEC},
956 {"vm_rss", PT_UINT32, PF_DEC},
957 {"vm_swap", PT_UINT32, PF_DEC}}},
958 [PPME_SYSCALL_CLONE_16_E] = {"clone",
959 EC_PROCESS | EC_SYSCALL,
960 EF_OLD_VERSION | EF_MODIFIES_STATE,
961 0},
962 [PPME_SYSCALL_CLONE_16_X] = {"clone",
963 EC_PROCESS | EC_SYSCALL,
964 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
965 16,
966 {{"res", PT_PID, PF_DEC},
967 {"exe", PT_CHARBUF, PF_NA},
968 {"args", PT_BYTEBUF, PF_NA},
969 {"tid", PT_PID, PF_DEC},
970 {"pid", PT_PID, PF_DEC},
971 {"ptid", PT_PID, PF_DEC},
972 {"cwd", PT_CHARBUF, PF_NA},
973 {"fdlimit", PT_INT64, PF_DEC},
974 {"pgft_maj", PT_UINT64, PF_DEC},
975 {"pgft_min", PT_UINT64, PF_DEC},
976 {"vm_size", PT_UINT32, PF_DEC},
977 {"vm_rss", PT_UINT32, PF_DEC},
978 {"vm_swap", PT_UINT32, PF_DEC},
979 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
980 {"uid", PT_UINT32, PF_DEC},
981 {"gid", PT_UINT32, PF_DEC}}},
982 [PPME_SYSCALL_BRK_4_E] = {"brk",
983 EC_MEMORY | EC_SYSCALL,
984 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
985 1,
986 {{"addr", PT_UINT64, PF_HEX}}},
987 [PPME_SYSCALL_BRK_4_X] = {"brk",
988 EC_MEMORY | EC_SYSCALL,
989 EF_CONVERTER_MANAGED,
990 5,
991 {{"res", PT_UINT64, PF_HEX},
992 {"vm_size", PT_UINT32, PF_DEC},
993 {"vm_rss", PT_UINT32, PF_DEC},
994 {"vm_swap", PT_UINT32, PF_DEC},
995 {"addr", PT_UINT64, PF_HEX}}},
996 [PPME_SYSCALL_MMAP_E] = {"mmap",
997 EC_MEMORY | EC_SYSCALL,
998 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
999 6,
1000 {{"addr", PT_UINT64, PF_HEX},
1001 {"length", PT_UINT64, PF_DEC},
1002 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
1003 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
1004 {"fd", PT_FD, PF_DEC},
1005 {"offset", PT_UINT64, PF_DEC}}},
1006 [PPME_SYSCALL_MMAP_X] = {"mmap",
1007 EC_MEMORY | EC_SYSCALL,
1008 EF_USES_FD | EF_CONVERTER_MANAGED,
1009 10,
1010 {{"res", PT_ERRNO, PF_HEX},
1011 {"vm_size", PT_UINT32, PF_DEC},
1012 {"vm_rss", PT_UINT32, PF_DEC},
1013 {"vm_swap", PT_UINT32, PF_DEC},
1014 {"addr", PT_UINT64, PF_HEX},
1015 {"length", PT_UINT64, PF_DEC},
1016 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
1017 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
1018 {"fd", PT_FD, PF_DEC},
1019 {"offset", PT_UINT64, PF_DEC}}},
1020 [PPME_SYSCALL_MMAP2_E] = {"mmap2",
1021 EC_MEMORY | EC_SYSCALL,
1022 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1023 6,
1024 {{"addr", PT_UINT64, PF_HEX},
1025 {"length", PT_UINT64, PF_DEC},
1026 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
1027 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
1028 {"fd", PT_FD, PF_DEC},
1029 {"pgoffset", PT_UINT64, PF_DEC}}},
1030 [PPME_SYSCALL_MMAP2_X] = {"mmap2",
1031 EC_MEMORY | EC_SYSCALL,
1032 EF_USES_FD | EF_CONVERTER_MANAGED,
1033 10,
1034 {{"res", PT_ERRNO, PF_HEX},
1035 {"vm_size", PT_UINT32, PF_DEC},
1036 {"vm_rss", PT_UINT32, PF_DEC},
1037 {"vm_swap", PT_UINT32, PF_DEC},
1038 {"addr", PT_UINT64, PF_HEX},
1039 {"length", PT_UINT64, PF_DEC},
1040 {"prot", PT_FLAGS32, PF_HEX, prot_flags},
1041 {"flags", PT_FLAGS32, PF_HEX, mmap_flags},
1042 {"fd", PT_FD, PF_DEC},
1043 {"pgoffset", PT_UINT64, PF_DEC}}},
1044 [PPME_SYSCALL_MUNMAP_E] = {"munmap",
1045 EC_MEMORY | EC_SYSCALL,
1046 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1047 2,
1048 {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}}},
1049 [PPME_SYSCALL_MUNMAP_X] = {"munmap",
1050 EC_MEMORY | EC_SYSCALL,
1051 EF_CONVERTER_MANAGED,
1052 6,
1053 {{"res", PT_ERRNO, PF_DEC},
1054 {"vm_size", PT_UINT32, PF_DEC},
1055 {"vm_rss", PT_UINT32, PF_DEC},
1056 {"vm_swap", PT_UINT32, PF_DEC},
1057 {"addr", PT_UINT64, PF_HEX},
1058 {"length", PT_UINT64, PF_DEC}}},
1059 [PPME_SYSCALL_SPLICE_E] = {"splice",
1060 EC_IO_OTHER | EC_SYSCALL,
1061 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1062 4,
1063 {{"fd_in", PT_FD, PF_DEC},
1064 {"fd_out", PT_FD, PF_DEC},
1065 {"size", PT_UINT64, PF_DEC},
1066 {"flags", PT_FLAGS32, PF_HEX, splice_flags}}},
1067 [PPME_SYSCALL_SPLICE_X] = {"splice",
1068 EC_IO_OTHER | EC_SYSCALL,
1069 EF_USES_FD | EF_CONVERTER_MANAGED,
1070 5,
1071 {{"res", PT_ERRNO, PF_DEC},
1072 {"fd_in", PT_FD, PF_DEC},
1073 {"fd_out", PT_FD, PF_DEC},
1074 {"size", PT_UINT64, PF_DEC},
1075 {"flags", PT_FLAGS32, PF_HEX, splice_flags}}},
1076 [PPME_SYSCALL_PTRACE_E] = {"ptrace",
1077 EC_PROCESS | EC_SYSCALL,
1078 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1079 2,
1080 {{"request", PT_ENUMFLAGS16, PF_DEC, ptrace_requests},
1081 {"pid", PT_PID, PF_DEC}}},
1082 [PPME_SYSCALL_PTRACE_X] =
1083 {"ptrace",
1084 EC_PROCESS | EC_SYSCALL,
1085 EF_CONVERTER_MANAGED,
1086 5,
1087 {{"res", PT_ERRNO, PF_DEC},
1088 {"addr", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX},
1089 {"data", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX},
1090 {"request", PT_ENUMFLAGS16, PF_DEC, ptrace_requests},
1091 {"pid", PT_PID, PF_DEC}}},
1092 [PPME_SYSCALL_IOCTL_3_E] = {"ioctl",
1093 EC_IO_OTHER | EC_SYSCALL,
1094 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1095 3,
1096 {{"fd", PT_FD, PF_DEC},
1097 {"request", PT_UINT64, PF_HEX},
1098 {"argument", PT_UINT64, PF_HEX}}},
1099 [PPME_SYSCALL_IOCTL_3_X] = {"ioctl",
1100 EC_IO_OTHER | EC_SYSCALL,
1101 EF_USES_FD | EF_CONVERTER_MANAGED,
1102 4,
1103 {{"res", PT_ERRNO, PF_DEC},
1104 {"fd", PT_FD, PF_DEC},
1105 {"request", PT_UINT64, PF_HEX},
1106 {"argument", PT_UINT64, PF_HEX}}},
1107 [PPME_SYSCALL_EXECVE_14_E] = {"execve",
1108 EC_PROCESS | EC_SYSCALL,
1109 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1110 0},
1111 [PPME_SYSCALL_EXECVE_14_X] = {"execve",
1112 EC_PROCESS | EC_SYSCALL,
1113 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1114 14,
1115 {{"res", PT_ERRNO, PF_DEC},
1116 {"exe", PT_CHARBUF, PF_NA},
1117 {"args", PT_BYTEBUF, PF_NA},
1118 {"tid", PT_PID, PF_DEC},
1119 {"pid", PT_PID, PF_DEC},
1120 {"ptid", PT_PID, PF_DEC},
1121 {"cwd", PT_CHARBUF, PF_NA},
1122 {"fdlimit", PT_UINT64, PF_DEC},
1123 {"pgft_maj", PT_UINT64, PF_DEC},
1124 {"pgft_min", PT_UINT64, PF_DEC},
1125 {"vm_size", PT_UINT32, PF_DEC},
1126 {"vm_rss", PT_UINT32, PF_DEC},
1127 {"vm_swap", PT_UINT32, PF_DEC},
1128 {"env", PT_BYTEBUF, PF_NA}}},
1129 [PPME_SYSCALL_RENAME_E] = {"rename", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1130 [PPME_SYSCALL_RENAME_X] = {"rename",
1131 EC_FILE | EC_SYSCALL,
1132 EF_NONE,
1133 3,
1134 {{"res", PT_ERRNO, PF_DEC},
1135 {"oldpath", PT_FSPATH, PF_NA},
1136 {"newpath", PT_FSPATH, PF_NA}}},
1137 [PPME_SYSCALL_RENAMEAT_E] = {"renameat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1138 [PPME_SYSCALL_RENAMEAT_X] = {"renameat",
1139 EC_FILE | EC_SYSCALL,
1140 EF_NONE,
1141 5,
1142 {{"res", PT_ERRNO, PF_DEC},
1143 {"olddirfd", PT_FD, PF_DEC},
1144 {"oldpath", PT_FSRELPATH, PF_NA, 1},
1145 {"newdirfd", PT_FD, PF_DEC},
1146 {"newpath", PT_FSRELPATH, PF_NA, 3}}},
1147 [PPME_SYSCALL_SYMLINK_E] = {"symlink", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1148 [PPME_SYSCALL_SYMLINK_X] = {"symlink",
1149 EC_FILE | EC_SYSCALL,
1150 EF_NONE,
1151 3,
1152 {{"res", PT_ERRNO, PF_DEC},
1153 {"target", PT_CHARBUF, PF_NA},
1154 {"linkpath", PT_FSPATH, PF_NA}}},
1155 [PPME_SYSCALL_SYMLINKAT_E] = {"symlinkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1156 [PPME_SYSCALL_SYMLINKAT_X] = {"symlinkat",
1157 EC_FILE | EC_SYSCALL,
1158 EF_USES_FD,
1159 4,
1160 {{"res", PT_ERRNO, PF_DEC},
1161 {"target", PT_CHARBUF, PF_NA},
1162 {"linkdirfd", PT_FD, PF_DEC},
1163 {"linkpath", PT_FSRELPATH, PF_NA, 2}}},
1164 [PPME_SYSCALL_FORK_E] = {"fork",
1165 EC_PROCESS | EC_SYSCALL,
1166 EF_OLD_VERSION | EF_MODIFIES_STATE,
1167 0},
1168 [PPME_SYSCALL_FORK_X] = {"fork",
1169 EC_PROCESS | EC_SYSCALL,
1170 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1171 16,
1172 {{"res", PT_PID, PF_DEC},
1173 {"exe", PT_CHARBUF, PF_NA},
1174 {"args", PT_BYTEBUF, PF_NA},
1175 {"tid", PT_PID, PF_DEC},
1176 {"pid", PT_PID, PF_DEC},
1177 {"ptid", PT_PID, PF_DEC},
1178 {"cwd", PT_CHARBUF, PF_NA},
1179 {"fdlimit", PT_INT64, PF_DEC},
1180 {"pgft_maj", PT_UINT64, PF_DEC},
1181 {"pgft_min", PT_UINT64, PF_DEC},
1182 {"vm_size", PT_UINT32, PF_DEC},
1183 {"vm_rss", PT_UINT32, PF_DEC},
1184 {"vm_swap", PT_UINT32, PF_DEC},
1185 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1186 {"uid", PT_UINT32, PF_DEC},
1187 {"gid", PT_UINT32, PF_DEC}}},
1188 [PPME_SYSCALL_VFORK_E] = {"vfork",
1189 EC_PROCESS | EC_SYSCALL,
1190 EF_OLD_VERSION | EF_MODIFIES_STATE,
1191 0},
1192 [PPME_SYSCALL_VFORK_X] = {"vfork",
1193 EC_PROCESS | EC_SYSCALL,
1194 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1195 16,
1196 {{"res", PT_PID, PF_DEC},
1197 {"exe", PT_CHARBUF, PF_NA},
1198 {"args", PT_BYTEBUF, PF_NA},
1199 {"tid", PT_PID, PF_DEC},
1200 {"pid", PT_PID, PF_DEC},
1201 {"ptid", PT_PID, PF_DEC},
1202 {"cwd", PT_CHARBUF, PF_NA},
1203 {"fdlimit", PT_INT64, PF_DEC},
1204 {"pgft_maj", PT_UINT64, PF_DEC},
1205 {"pgft_min", PT_UINT64, PF_DEC},
1206 {"vm_size", PT_UINT32, PF_DEC},
1207 {"vm_rss", PT_UINT32, PF_DEC},
1208 {"vm_swap", PT_UINT32, PF_DEC},
1209 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1210 {"uid", PT_UINT32, PF_DEC},
1211 {"gid", PT_UINT32, PF_DEC}}},
1212 [PPME_PROCEXIT_1_E] = {"procexit",
1213 EC_PROCESS | EC_TRACEPOINT,
1214 EF_MODIFIES_STATE,
1215 5,
1216 {{"status", PT_ERRNO, PF_DEC},
1217 {"ret", PT_ERRNO, PF_DEC},
1218 {"sig", PT_SIGTYPE, PF_DEC},
1219 {"core", PT_UINT8, PF_DEC},
1220 {"reaper_tid", PT_PID, PF_DEC}}},
1221 [PPME_PROCEXIT_1_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1222 [PPME_SYSCALL_SENDFILE_E] = {"sendfile",
1223 EC_IO_WRITE | EC_SYSCALL,
1224 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1225 4,
1226 {{"out_fd", PT_FD, PF_DEC},
1227 {"in_fd", PT_FD, PF_DEC},
1228 {"offset", PT_UINT64, PF_DEC},
1229 {"size", PT_UINT64, PF_DEC}}},
1230 [PPME_SYSCALL_SENDFILE_X] = {"sendfile",
1231 EC_IO_WRITE | EC_SYSCALL,
1232 EF_USES_FD | EF_CONVERTER_MANAGED,
1233 5,
1234 {{"res", PT_ERRNO, PF_DEC},
1235 {"offset", PT_UINT64, PF_DEC},
1236 {"out_fd", PT_FD, PF_DEC},
1237 {"in_fd", PT_FD, PF_DEC},
1238 {"size", PT_UINT64, PF_DEC}}},
1239 [PPME_SYSCALL_QUOTACTL_E] = {"quotactl",
1240 EC_USER | EC_SYSCALL,
1241 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1242 4,
1243 {{"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds},
1244 {"type", PT_FLAGS8, PF_DEC, quotactl_types},
1245 {"id", PT_UINT32, PF_DEC},
1246 {"quota_fmt", PT_FLAGS8, PF_DEC, quotactl_quota_fmts}}},
1247 [PPME_SYSCALL_QUOTACTL_X] = {"quotactl",
1248 EC_USER | EC_SYSCALL,
1249 EF_CONVERTER_MANAGED,
1250 18,
1251 {{"res", PT_ERRNO, PF_DEC},
1252 {"special", PT_CHARBUF, PF_NA},
1253 {"quotafilepath", PT_CHARBUF, PF_NA},
1254 {"dqb_bhardlimit", PT_UINT64, PF_DEC},
1255 {"dqb_bsoftlimit", PT_UINT64, PF_DEC},
1256 {"dqb_curspace", PT_UINT64, PF_DEC},
1257 {"dqb_ihardlimit", PT_UINT64, PF_DEC},
1258 {"dqb_isoftlimit", PT_UINT64, PF_DEC},
1259 {"dqb_btime", PT_RELTIME, PF_DEC},
1260 {"dqb_itime", PT_RELTIME, PF_DEC},
1261 {"dqi_bgrace", PT_RELTIME, PF_DEC},
1262 {"dqi_igrace", PT_RELTIME, PF_DEC},
1263 {"dqi_flags", PT_FLAGS8, PF_DEC, quotactl_dqi_flags},
1264 {"quota_fmt_out", PT_FLAGS8, PF_DEC, quotactl_quota_fmts},
1265 {"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds},
1266 {"type", PT_FLAGS8, PF_DEC, quotactl_types},
1267 {"id", PT_UINT32, PF_DEC},
1268 {"quota_fmt", PT_FLAGS8, PF_DEC, quotactl_quota_fmts}}},
1269 [PPME_SYSCALL_SETRESUID_E] = {"setresuid",
1270 EC_USER | EC_SYSCALL,
1271 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1272 3,
1273 {{"ruid", PT_UID, PF_DEC},
1274 {"euid", PT_UID, PF_DEC},
1275 {"suid", PT_UID, PF_DEC}}},
1276 [PPME_SYSCALL_SETRESUID_X] = {"setresuid",
1277 EC_USER | EC_SYSCALL,
1278 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1279 4,
1280 {{"res", PT_ERRNO, PF_DEC},
1281 {"ruid", PT_UID, PF_DEC},
1282 {"euid", PT_UID, PF_DEC},
1283 {"suid", PT_UID, PF_DEC}}},
1284 [PPME_SYSCALL_SETRESGID_E] = {"setresgid",
1285 EC_USER | EC_SYSCALL,
1286 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1287 3,
1288 {{"rgid", PT_GID, PF_DEC},
1289 {"egid", PT_GID, PF_DEC},
1290 {"sgid", PT_GID, PF_DEC}}},
1291 [PPME_SYSCALL_SETRESGID_X] = {"setresgid",
1292 EC_USER | EC_SYSCALL,
1293 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1294 4,
1295 {{"res", PT_ERRNO, PF_DEC},
1296 {"rgid", PT_GID, PF_DEC},
1297 {"egid", PT_GID, PF_DEC},
1298 {"sgid", PT_GID, PF_DEC}}},
1299 [PPME_SCAPEVENT_E] = {"scapevent",
1300 EC_INTERNAL | EC_METAEVENT,
1301 EF_SKIPPARSERESET,
1302 2,
1303 {{"event_type", PT_UINT32, PF_DEC},
1304 {"event_data", PT_UINT64, PF_DEC}}},
1305 [PPME_SCAPEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1306 [PPME_SYSCALL_SETUID_E] = {"setuid",
1307 EC_USER | EC_SYSCALL,
1308 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1309 1,
1310 {{"uid", PT_UID, PF_DEC}}},
1311 [PPME_SYSCALL_SETUID_X] = {"setuid",
1312 EC_USER | EC_SYSCALL,
1313 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1314 2,
1315 {{"res", PT_ERRNO, PF_DEC}, {"uid", PT_UID, PF_DEC}}},
1316 [PPME_SYSCALL_SETGID_E] = {"setgid",
1317 EC_USER | EC_SYSCALL,
1318 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1319 1,
1320 {{"gid", PT_GID, PF_DEC}}},
1321 [PPME_SYSCALL_SETGID_X] = {"setgid",
1322 EC_USER | EC_SYSCALL,
1323 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1324 2,
1325 {{"res", PT_ERRNO, PF_DEC}, {"gid", PT_GID, PF_DEC}}},
1326 [PPME_SYSCALL_GETUID_E] = {"getuid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1327 [PPME_SYSCALL_GETUID_X] =
1328 {"getuid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"uid", PT_UID, PF_DEC}}},
1329 [PPME_SYSCALL_GETEUID_E] = {"geteuid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1330 [PPME_SYSCALL_GETEUID_X] =
1331 {"geteuid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"euid", PT_UID, PF_DEC}}},
1332 [PPME_SYSCALL_GETGID_E] = {"getgid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1333 [PPME_SYSCALL_GETGID_X] =
1334 {"getgid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"gid", PT_GID, PF_DEC}}},
1335 [PPME_SYSCALL_GETEGID_E] = {"getegid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1336 [PPME_SYSCALL_GETEGID_X] =
1337 {"getegid", EC_USER | EC_SYSCALL, EF_NONE, 1, {{"egid", PT_GID, PF_DEC}}},
1338 [PPME_SYSCALL_GETRESUID_E] = {"getresuid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1339 [PPME_SYSCALL_GETRESUID_X] = {"getresuid",
1340 EC_USER | EC_SYSCALL,
1341 EF_NONE,
1342 4,
1343 {{"res", PT_ERRNO, PF_DEC},
1344 {"ruid", PT_UID, PF_DEC},
1345 {"euid", PT_UID, PF_DEC},
1346 {"suid", PT_UID, PF_DEC}}},
1347 [PPME_SYSCALL_GETRESGID_E] = {"getresgid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
1348 [PPME_SYSCALL_GETRESGID_X] = {"getresgid",
1349 EC_USER | EC_SYSCALL,
1350 EF_NONE,
1351 4,
1352 {{"res", PT_ERRNO, PF_DEC},
1353 {"rgid", PT_GID, PF_DEC},
1354 {"egid", PT_GID, PF_DEC},
1355 {"sgid", PT_GID, PF_DEC}}},
1356 [PPME_SYSCALL_EXECVE_15_E] = {"execve",
1357 EC_PROCESS | EC_SYSCALL,
1358 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1359 0},
1360 [PPME_SYSCALL_EXECVE_15_X] = {"execve",
1361 EC_PROCESS | EC_SYSCALL,
1362 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1363 15,
1364 {{"res", PT_ERRNO, PF_DEC},
1365 {"exe", PT_CHARBUF, PF_NA},
1366 {"args", PT_BYTEBUF, PF_NA},
1367 {"tid", PT_PID, PF_DEC},
1368 {"pid", PT_PID, PF_DEC},
1369 {"ptid", PT_PID, PF_DEC},
1370 {"cwd", PT_CHARBUF, PF_NA},
1371 {"fdlimit", PT_UINT64, PF_DEC},
1372 {"pgft_maj", PT_UINT64, PF_DEC},
1373 {"pgft_min", PT_UINT64, PF_DEC},
1374 {"vm_size", PT_UINT32, PF_DEC},
1375 {"vm_rss", PT_UINT32, PF_DEC},
1376 {"vm_swap", PT_UINT32, PF_DEC},
1377 {"comm", PT_CHARBUF, PF_NA},
1378 {"env", PT_BYTEBUF, PF_NA}}},
1379 [PPME_SYSCALL_CLONE_17_E] = {"clone",
1380 EC_PROCESS | EC_SYSCALL,
1381 EF_OLD_VERSION | EF_MODIFIES_STATE,
1382 0},
1383 [PPME_SYSCALL_CLONE_17_X] = {"clone",
1384 EC_PROCESS | EC_SYSCALL,
1385 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1386 17,
1387 {{"res", PT_PID, PF_DEC},
1388 {"exe", PT_CHARBUF, PF_NA},
1389 {"args", PT_BYTEBUF, PF_NA},
1390 {"tid", PT_PID, PF_DEC},
1391 {"pid", PT_PID, PF_DEC},
1392 {"ptid", PT_PID, PF_DEC},
1393 {"cwd", PT_CHARBUF, PF_NA},
1394 {"fdlimit", PT_INT64, PF_DEC},
1395 {"pgft_maj", PT_UINT64, PF_DEC},
1396 {"pgft_min", PT_UINT64, PF_DEC},
1397 {"vm_size", PT_UINT32, PF_DEC},
1398 {"vm_rss", PT_UINT32, PF_DEC},
1399 {"vm_swap", PT_UINT32, PF_DEC},
1400 {"comm", PT_CHARBUF, PF_NA},
1401 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1402 {"uid", PT_UINT32, PF_DEC},
1403 {"gid", PT_UINT32, PF_DEC}}},
1404 [PPME_SYSCALL_FORK_17_E] = {"fork",
1405 EC_PROCESS | EC_SYSCALL,
1406 EF_OLD_VERSION | EF_MODIFIES_STATE,
1407 0},
1408 [PPME_SYSCALL_FORK_17_X] = {"fork",
1409 EC_PROCESS | EC_SYSCALL,
1410 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1411 17,
1412 {{"res", PT_PID, PF_DEC},
1413 {"exe", PT_CHARBUF, PF_NA},
1414 {"args", PT_BYTEBUF, PF_NA},
1415 {"tid", PT_PID, PF_DEC},
1416 {"pid", PT_PID, PF_DEC},
1417 {"ptid", PT_PID, PF_DEC},
1418 {"cwd", PT_CHARBUF, PF_NA},
1419 {"fdlimit", PT_INT64, PF_DEC},
1420 {"pgft_maj", PT_UINT64, PF_DEC},
1421 {"pgft_min", PT_UINT64, PF_DEC},
1422 {"vm_size", PT_UINT32, PF_DEC},
1423 {"vm_rss", PT_UINT32, PF_DEC},
1424 {"vm_swap", PT_UINT32, PF_DEC},
1425 {"comm", PT_CHARBUF, PF_NA},
1426 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1427 {"uid", PT_UINT32, PF_DEC},
1428 {"gid", PT_UINT32, PF_DEC}}},
1429 [PPME_SYSCALL_VFORK_17_E] = {"vfork",
1430 EC_PROCESS | EC_SYSCALL,
1431 EF_OLD_VERSION | EF_MODIFIES_STATE,
1432 0},
1433 [PPME_SYSCALL_VFORK_17_X] = {"vfork",
1434 EC_PROCESS | EC_SYSCALL,
1435 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1436 17,
1437 {{"res", PT_PID, PF_DEC},
1438 {"exe", PT_CHARBUF, PF_NA},
1439 {"args", PT_BYTEBUF, PF_NA},
1440 {"tid", PT_PID, PF_DEC},
1441 {"pid", PT_PID, PF_DEC},
1442 {"ptid", PT_PID, PF_DEC},
1443 {"cwd", PT_CHARBUF, PF_NA},
1444 {"fdlimit", PT_INT64, PF_DEC},
1445 {"pgft_maj", PT_UINT64, PF_DEC},
1446 {"pgft_min", PT_UINT64, PF_DEC},
1447 {"vm_size", PT_UINT32, PF_DEC},
1448 {"vm_rss", PT_UINT32, PF_DEC},
1449 {"vm_swap", PT_UINT32, PF_DEC},
1450 {"comm", PT_CHARBUF, PF_NA},
1451 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1452 {"uid", PT_UINT32, PF_DEC},
1453 {"gid", PT_UINT32, PF_DEC}}},
1454 [PPME_SYSCALL_CLONE_20_E] = {"clone",
1455 EC_PROCESS | EC_SYSCALL,
1456 EF_OLD_VERSION | EF_MODIFIES_STATE,
1457 0},
1458 [PPME_SYSCALL_CLONE_20_X] = {"clone",
1459 EC_PROCESS | EC_SYSCALL,
1460 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1461 21,
1462 {{"res", PT_PID, PF_DEC},
1463 {"exe", PT_CHARBUF, PF_NA},
1464 {"args", PT_BYTEBUF, PF_NA},
1465 {"tid", PT_PID, PF_DEC},
1466 {"pid", PT_PID, PF_DEC},
1467 {"ptid", PT_PID, PF_DEC},
1468 {"cwd", PT_CHARBUF, PF_NA},
1469 {"fdlimit", PT_INT64, PF_DEC},
1470 {"pgft_maj", PT_UINT64, PF_DEC},
1471 {"pgft_min", PT_UINT64, PF_DEC},
1472 {"vm_size", PT_UINT32, PF_DEC},
1473 {"vm_rss", PT_UINT32, PF_DEC},
1474 {"vm_swap", PT_UINT32, PF_DEC},
1475 {"comm", PT_CHARBUF, PF_NA},
1476 {"cgroups", PT_BYTEBUF, PF_NA},
1477 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1478 {"uid", PT_UINT32, PF_DEC},
1479 {"gid", PT_UINT32, PF_DEC},
1480 {"vtid", PT_PID, PF_DEC},
1481 {"vpid", PT_PID, PF_DEC},
1482 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1483 [PPME_SYSCALL_FORK_20_E] = {"fork",
1484 EC_PROCESS | EC_SYSCALL,
1485 EF_OLD_VERSION | EF_MODIFIES_STATE,
1486 0},
1487 [PPME_SYSCALL_FORK_20_X] = {"fork",
1488 EC_PROCESS | EC_SYSCALL,
1489 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1490 21,
1491 {{"res", PT_PID, PF_DEC},
1492 {"exe", PT_CHARBUF, PF_NA},
1493 {"args", PT_BYTEBUF, PF_NA},
1494 {"tid", PT_PID, PF_DEC},
1495 {"pid", PT_PID, PF_DEC},
1496 {"ptid", PT_PID, PF_DEC},
1497 {"cwd", PT_CHARBUF, PF_NA},
1498 {"fdlimit", PT_INT64, PF_DEC},
1499 {"pgft_maj", PT_UINT64, PF_DEC},
1500 {"pgft_min", PT_UINT64, PF_DEC},
1501 {"vm_size", PT_UINT32, PF_DEC},
1502 {"vm_rss", PT_UINT32, PF_DEC},
1503 {"vm_swap", PT_UINT32, PF_DEC},
1504 {"comm", PT_CHARBUF, PF_NA},
1505 {"cgroups", PT_BYTEBUF, PF_NA},
1506 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1507 {"uid", PT_UINT32, PF_DEC},
1508 {"gid", PT_UINT32, PF_DEC},
1509 {"vtid", PT_PID, PF_DEC},
1510 {"vpid", PT_PID, PF_DEC},
1511 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1512 [PPME_SYSCALL_VFORK_20_E] = {"vfork",
1513 EC_PROCESS | EC_SYSCALL,
1514 EF_OLD_VERSION | EF_MODIFIES_STATE,
1515 0},
1516 [PPME_SYSCALL_VFORK_20_X] = {"vfork",
1517 EC_PROCESS | EC_SYSCALL,
1518 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1519 21,
1520 {{"res", PT_PID, PF_DEC},
1521 {"exe", PT_CHARBUF, PF_NA},
1522 {"args", PT_BYTEBUF, PF_NA},
1523 {"tid", PT_PID, PF_DEC},
1524 {"pid", PT_PID, PF_DEC},
1525 {"ptid", PT_PID, PF_DEC},
1526 {"cwd", PT_CHARBUF, PF_NA},
1527 {"fdlimit", PT_INT64, PF_DEC},
1528 {"pgft_maj", PT_UINT64, PF_DEC},
1529 {"pgft_min", PT_UINT64, PF_DEC},
1530 {"vm_size", PT_UINT32, PF_DEC},
1531 {"vm_rss", PT_UINT32, PF_DEC},
1532 {"vm_swap", PT_UINT32, PF_DEC},
1533 {"comm", PT_CHARBUF, PF_NA},
1534 {"cgroups", PT_BYTEBUF, PF_NA},
1535 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
1536 {"uid", PT_UINT32, PF_DEC},
1537 {"gid", PT_UINT32, PF_DEC},
1538 {"vtid", PT_PID, PF_DEC},
1539 {"vpid", PT_PID, PF_DEC},
1540 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
1541 [PPME_CONTAINER_E] = {"container",
1542 EC_INTERNAL | EC_METAEVENT,
1543 EF_OLD_VERSION | EF_SKIPPARSERESET | EF_MODIFIES_STATE |
1544 EF_CONVERTER_MANAGED,
1545 4,
1546 {{"id", PT_CHARBUF, PF_NA},
1547 {"type", PT_UINT32, PF_DEC},
1548 {"name", PT_CHARBUF, PF_NA},
1549 {"image", PT_CHARBUF, PF_NA}}},
1550 [PPME_CONTAINER_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1551 [PPME_SYSCALL_EXECVE_16_E] = {"execve",
1552 EC_PROCESS | EC_SYSCALL,
1553 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1554 0},
1555 [PPME_SYSCALL_EXECVE_16_X] = {"execve",
1556 EC_PROCESS | EC_SYSCALL,
1557 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1558 16,
1559 {{"res", PT_ERRNO, PF_DEC},
1560 {"exe", PT_CHARBUF, PF_NA},
1561 {"args", PT_BYTEBUF, PF_NA},
1562 {"tid", PT_PID, PF_DEC},
1563 {"pid", PT_PID, PF_DEC},
1564 {"ptid", PT_PID, PF_DEC},
1565 {"cwd", PT_CHARBUF, PF_NA},
1566 {"fdlimit", PT_UINT64, PF_DEC},
1567 {"pgft_maj", PT_UINT64, PF_DEC},
1568 {"pgft_min", PT_UINT64, PF_DEC},
1569 {"vm_size", PT_UINT32, PF_DEC},
1570 {"vm_rss", PT_UINT32, PF_DEC},
1571 {"vm_swap", PT_UINT32, PF_DEC},
1572 {"comm", PT_CHARBUF, PF_NA},
1573 {"cgroups", PT_BYTEBUF, PF_NA},
1574 {"env", PT_BYTEBUF, PF_NA}}},
1575 [PPME_SIGNALDELIVER_E] = {"signaldeliver",
1576 EC_SIGNAL | EC_TRACEPOINT,
1577 EF_NONE,
1578 3,
1579 {{"spid", PT_PID, PF_DEC},
1580 {"dpid", PT_PID, PF_DEC},
1581 {"sig", PT_SIGTYPE, PF_DEC}}},
1582 [PPME_SIGNALDELIVER_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1583 [PPME_PROCINFO_E] = {"procinfo",
1584 EC_INTERNAL | EC_METAEVENT,
1585 EF_SKIPPARSERESET,
1586 2,
1587 {{"cpu_usr", PT_UINT64, PF_DEC}, {"cpu_sys", PT_UINT64, PF_DEC}}},
1588 [PPME_PROCINFO_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1589 [PPME_SYSCALL_GETDENTS_E] = {"getdents",
1590 EC_FILE | EC_SYSCALL,
1591 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1592 1,
1593 {{"fd", PT_FD, PF_NA}}},
1594 [PPME_SYSCALL_GETDENTS_X] = {"getdents",
1595 EC_FILE | EC_SYSCALL,
1596 EF_USES_FD | EF_CONVERTER_MANAGED,
1597 2,
1598 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_NA}}},
1599 [PPME_SYSCALL_GETDENTS64_E] = {"getdents64",
1600 EC_FILE | EC_SYSCALL,
1601 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1602 1,
1603 {{"fd", PT_FD, PF_NA}}},
1604 [PPME_SYSCALL_GETDENTS64_X] = {"getdents64",
1605 EC_FILE | EC_SYSCALL,
1606 EF_USES_FD | EF_CONVERTER_MANAGED,
1607 2,
1608 {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_NA}}},
1609 [PPME_SYSCALL_SETNS_E] = {"setns",
1610 EC_PROCESS | EC_SYSCALL,
1611 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1612 2,
1613 {{"fd", PT_FD, PF_NA},
1614 {"nstype", PT_FLAGS32, PF_HEX, clone_flags}}},
1615 [PPME_SYSCALL_SETNS_X] = {"setns",
1616 EC_PROCESS | EC_SYSCALL,
1617 EF_USES_FD | EF_CONVERTER_MANAGED,
1618 3,
1619 {{"res", PT_ERRNO, PF_DEC},
1620 {"fd", PT_FD, PF_NA},
1621 {"nstype", PT_FLAGS32, PF_HEX, clone_flags}}},
1622 [PPME_SYSCALL_FLOCK_E] = {"flock",
1623 EC_FILE | EC_SYSCALL,
1624 EF_OLD_VERSION | EF_USES_FD | EF_CONVERTER_MANAGED,
1625 2,
1626 {{"fd", PT_FD, PF_NA},
1627 {"operation", PT_FLAGS32, PF_HEX, flock_flags}}},
1628 [PPME_SYSCALL_FLOCK_X] = {"flock",
1629 EC_FILE | EC_SYSCALL,
1630 EF_USES_FD | EF_CONVERTER_MANAGED,
1631 3,
1632 {{"res", PT_ERRNO, PF_DEC},
1633 {"fd", PT_FD, PF_NA},
1634 {"operation", PT_FLAGS32, PF_HEX, flock_flags}}},
1635 [PPME_CPU_HOTPLUG_E] = {"cpu_hotplug",
1636 EC_SYSTEM | EC_METAEVENT,
1637 EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1638 2,
1639 {{"cpu", PT_UINT32, PF_DEC}, {"action", PT_UINT32, PF_DEC}}},
1640 [PPME_CPU_HOTPLUG_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1641 [PPME_SOCKET_ACCEPT_5_E] = {"accept",
1642 EC_NET | EC_SYSCALL,
1643 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
1644 0},
1645 [PPME_SOCKET_ACCEPT_5_X] = {"accept",
1646 EC_NET | EC_SYSCALL,
1647 EF_CREATES_FD | EF_MODIFIES_STATE,
1648 5,
1649 {{"fd", PT_FD, PF_DEC},
1650 {"tuple", PT_SOCKTUPLE, PF_NA},
1651 {"queuepct", PT_UINT8, PF_DEC},
1652 {"queuelen", PT_UINT32, PF_DEC},
1653 {"queuemax", PT_UINT32, PF_DEC}}},
1654 [PPME_SOCKET_ACCEPT4_5_E] = {"accept",
1655 EC_NET | EC_SYSCALL,
1656 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
1657 EF_CONVERTER_MANAGED,
1658 1,
1659 {{"flags", PT_INT32, PF_HEX}}},
1660 [PPME_SOCKET_ACCEPT4_5_X] = {"accept",
1661 EC_NET | EC_SYSCALL,
1662 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
1663 EF_CONVERTER_MANAGED,
1664 5,
1665 {{"fd", PT_FD, PF_DEC},
1666 {"tuple", PT_SOCKTUPLE, PF_NA},
1667 {"queuepct", PT_UINT8, PF_DEC},
1668 {"queuelen", PT_UINT32, PF_DEC},
1669 {"queuemax", PT_UINT32, PF_DEC}}},
1670 [PPME_SYSCALL_SEMOP_E] = {"semop",
1671 EC_PROCESS | EC_SYSCALL,
1672 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1673 1,
1674 {{"semid", PT_INT32, PF_DEC}}},
1675 [PPME_SYSCALL_SEMOP_X] = {"semop",
1676 EC_PROCESS | EC_SYSCALL,
1677 EF_CONVERTER_MANAGED,
1678 9,
1679 {{"res", PT_ERRNO, PF_DEC},
1680 {"nsops", PT_UINT32, PF_DEC},
1681 {"sem_num_0", PT_UINT16, PF_DEC},
1682 {"sem_op_0", PT_INT16, PF_DEC},
1683 {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags},
1684 {"sem_num_1", PT_UINT16, PF_DEC},
1685 {"sem_op_1", PT_INT16, PF_DEC},
1686 {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags},
1687 {"semid", PT_INT32, PF_DEC}}},
1688 [PPME_SYSCALL_SEMCTL_E] = {"semctl",
1689 EC_PROCESS | EC_SYSCALL,
1690 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1691 4,
1692 {{"semid", PT_INT32, PF_DEC},
1693 {"semnum", PT_INT32, PF_DEC},
1694 {"cmd", PT_FLAGS16, PF_HEX, semctl_commands},
1695 {"val", PT_INT32, PF_DEC}}},
1696 [PPME_SYSCALL_SEMCTL_X] = {"semctl",
1697 EC_PROCESS | EC_SYSCALL,
1698 EF_CONVERTER_MANAGED,
1699 5,
1700 {{"res", PT_ERRNO, PF_DEC},
1701 {"semid", PT_INT32, PF_DEC},
1702 {"semnum", PT_INT32, PF_DEC},
1703 {"cmd", PT_FLAGS16, PF_HEX, semctl_commands},
1704 {"val", PT_INT32, PF_DEC}}},
1705 [PPME_SYSCALL_PPOLL_E] = {"ppoll",
1706 EC_WAIT | EC_SYSCALL,
1707 EF_OLD_VERSION | EF_WAITS | EF_CONVERTER_MANAGED,
1708 3,
1709 {{"fds", PT_FDLIST, PF_DEC},
1710 {"timeout", PT_RELTIME, PF_DEC},
1711 {"sigmask", PT_SIGSET, PF_DEC}}},
1712 [PPME_SYSCALL_PPOLL_X] = {"ppoll",
1713 EC_WAIT | EC_SYSCALL,
1714 EF_WAITS | EF_CONVERTER_MANAGED,
1715 4,
1716 {{"res", PT_ERRNO, PF_DEC},
1717 {"fds", PT_FDLIST, PF_DEC},
1718 {"timeout", PT_RELTIME, PF_DEC},
1719 {"sigmask", PT_SIGSET, PF_DEC}}},
1720 [PPME_SYSCALL_MOUNT_E] = {"mount",
1721 EC_FILE | EC_SYSCALL,
1722 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1723 1,
1724 {{"flags", PT_FLAGS32, PF_HEX, mount_flags}}},
1725 [PPME_SYSCALL_MOUNT_X] = {"mount",
1726 EC_FILE | EC_SYSCALL,
1727 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1728 5,
1729 {{"res", PT_ERRNO, PF_DEC},
1730 {"dev", PT_CHARBUF, PF_NA},
1731 {"dir", PT_FSPATH, PF_NA},
1732 {"type", PT_CHARBUF, PF_NA},
1733 {"flags", PT_FLAGS32, PF_HEX, mount_flags}}},
1734 [PPME_SYSCALL_UMOUNT_E] = {"umount",
1735 EC_FILE | EC_SYSCALL,
1736 EF_OLD_VERSION | EF_MODIFIES_STATE,
1737 1,
1738 {{"flags", PT_FLAGS32, PF_HEX, umount_flags}}},
1739 [PPME_SYSCALL_UMOUNT_X] = {"umount",
1740 EC_FILE | EC_SYSCALL,
1741 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1742 2,
1743 {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA}}},
1744 [PPME_K8S_E] = {"k8s",
1745 EC_INTERNAL | EC_METAEVENT,
1746 EF_OLD_VERSION | EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1747 1,
1748 {{"json", PT_CHARBUF, PF_NA}}},
1749 [PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1750 [PPME_SYSCALL_SEMGET_E] = {"semget",
1751 EC_PROCESS | EC_SYSCALL,
1752 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1753 3,
1754 {{"key", PT_INT32, PF_HEX},
1755 {"nsems", PT_INT32, PF_DEC},
1756 {"semflg", PT_FLAGS32, PF_HEX, semget_flags}}},
1757 [PPME_SYSCALL_SEMGET_X] = {"semget",
1758 EC_PROCESS | EC_SYSCALL,
1759 EF_CONVERTER_MANAGED,
1760 4,
1761 {{"res", PT_ERRNO, PF_DEC},
1762 {"key", PT_INT32, PF_HEX},
1763 {"nsems", PT_INT32, PF_DEC},
1764 {"semflg", PT_FLAGS32, PF_HEX, semget_flags}}},
1765 [PPME_SYSCALL_ACCESS_E] = {"access",
1766 EC_FILE | EC_SYSCALL,
1767 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1768 1,
1769 {{"mode", PT_FLAGS32, PF_HEX, access_flags}}},
1770 [PPME_SYSCALL_ACCESS_X] = {"access",
1771 EC_FILE | EC_SYSCALL,
1772 EF_CONVERTER_MANAGED,
1773 3,
1774 {{"res", PT_ERRNO, PF_DEC},
1775 {"name", PT_FSPATH, PF_NA},
1776 {"mode", PT_FLAGS32, PF_HEX, access_flags}}},
1777 [PPME_SYSCALL_CHROOT_E] = {"chroot",
1778 EC_PROCESS | EC_SYSCALL,
1779 EF_OLD_VERSION | EF_MODIFIES_STATE,
1780 0},
1781 [PPME_SYSCALL_CHROOT_X] = {"chroot",
1782 EC_PROCESS | EC_SYSCALL,
1783 EF_MODIFIES_STATE,
1784 2,
1785 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
1786 [PPME_TRACER_E] = {"tracer",
1787 EC_OTHER | EC_METAEVENT,
1788 EF_OLD_VERSION,
1789 3,
1790 {{"id", PT_INT64, PF_DEC},
1791 {"tags", PT_CHARBUFARRAY, PF_NA},
1792 {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA}}},
1793 [PPME_TRACER_X] = {"NA",
1794 EC_UNKNOWN,
1795 EF_UNUSED,
1796 3,
1797 {{"id", PT_INT64, PF_DEC},
1798 {"tags", PT_CHARBUFARRAY, PF_NA},
1799 {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA}}},
1800 [PPME_MESOS_E] = {"mesos",
1801 EC_INTERNAL | EC_METAEVENT,
1802 EF_OLD_VERSION | EF_SKIPPARSERESET | EF_MODIFIES_STATE,
1803 1,
1804 {{"json", PT_CHARBUF, PF_NA}}},
1805 [PPME_MESOS_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1806 [PPME_CONTAINER_JSON_E] =
1807 {"container",
1808 EC_PROCESS | EC_METAEVENT,
1809 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1810 1,
1811 {{"json", PT_CHARBUF, PF_NA}}},
1812 [PPME_CONTAINER_JSON_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1813 [PPME_SYSCALL_SETSID_E] = {"setsid",
1814 EC_PROCESS | EC_SYSCALL,
1815 EF_OLD_VERSION | EF_MODIFIES_STATE,
1816 0},
1817 [PPME_SYSCALL_SETSID_X] = {"setsid",
1818 EC_PROCESS | EC_SYSCALL,
1819 EF_MODIFIES_STATE,
1820 1,
1821 {{"res", PT_PID, PF_DEC}}},
1822 [PPME_SYSCALL_MKDIR_2_E] = {"mkdir",
1823 EC_FILE | EC_SYSCALL,
1824 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1825 1,
1826 {{"mode", PT_UINT32, PF_HEX}}},
1827 [PPME_SYSCALL_MKDIR_2_X] = {"mkdir",
1828 EC_FILE | EC_SYSCALL,
1829 EF_CONVERTER_MANAGED,
1830 3,
1831 {{"res", PT_ERRNO, PF_DEC},
1832 {"path", PT_FSPATH, PF_NA},
1833 {"mode", PT_UINT32, PF_HEX}}},
1834 [PPME_SYSCALL_RMDIR_2_E] = {"rmdir", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
1835 [PPME_SYSCALL_RMDIR_2_X] = {"rmdir",
1836 EC_FILE | EC_SYSCALL,
1837 EF_NONE,
1838 2,
1839 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
1840 [PPME_NOTIFICATION_E] = {"notification",
1841 EC_OTHER | EC_METAEVENT,
1842 EF_SKIPPARSERESET,
1843 2,
1844 {
1845 {"id", PT_CHARBUF, PF_DEC},
1846 {"desc", PT_CHARBUF, PF_NA},
1847 }},
1848 [PPME_NOTIFICATION_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1849 [PPME_SYSCALL_EXECVE_17_E] = {"execve",
1850 EC_PROCESS | EC_SYSCALL,
1851 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1852 0},
1853 [PPME_SYSCALL_EXECVE_17_X] = {"execve",
1854 EC_PROCESS | EC_SYSCALL,
1855 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1856 17,
1857 {{"res", PT_ERRNO, PF_DEC},
1858 {"exe", PT_CHARBUF, PF_NA},
1859 {"args", PT_BYTEBUF, PF_NA},
1860 {"tid", PT_PID, PF_DEC},
1861 {"pid", PT_PID, PF_DEC},
1862 {"ptid", PT_PID, PF_DEC},
1863 {"cwd", PT_CHARBUF, PF_NA},
1864 {"fdlimit", PT_UINT64, PF_DEC},
1865 {"pgft_maj", PT_UINT64, PF_DEC},
1866 {"pgft_min", PT_UINT64, PF_DEC},
1867 {"vm_size", PT_UINT32, PF_DEC},
1868 {"vm_rss", PT_UINT32, PF_DEC},
1869 {"vm_swap", PT_UINT32, PF_DEC},
1870 {"comm", PT_CHARBUF, PF_NA},
1871 {"cgroups", PT_BYTEBUF, PF_NA},
1872 {"env", PT_BYTEBUF, PF_NA},
1873 {"tty", PT_INT32, PF_DEC}}},
1874 [PPME_SYSCALL_UNSHARE_E] = {"unshare",
1875 EC_PROCESS | EC_SYSCALL,
1876 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1877 1,
1878 {{"flags", PT_FLAGS32, PF_HEX, clone_flags}}},
1879 [PPME_SYSCALL_UNSHARE_X] = {"unshare",
1880 EC_PROCESS | EC_SYSCALL,
1881 EF_CONVERTER_MANAGED,
1882 2,
1883 {{"res", PT_ERRNO, PF_DEC},
1884 {"flags", PT_FLAGS32, PF_HEX, clone_flags}}},
1885 [PPME_INFRASTRUCTURE_EVENT_E] = {"infra",
1886 EC_INTERNAL | EC_METAEVENT,
1887 EF_SKIPPARSERESET,
1888 4,
1889 {{"source", PT_CHARBUF, PF_DEC},
1890 {"name", PT_CHARBUF, PF_NA},
1891 {"description", PT_CHARBUF, PF_NA},
1892 {"scope", PT_CHARBUF, PF_NA}}},
1893 [PPME_INFRASTRUCTURE_EVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1894 [PPME_SYSCALL_EXECVE_18_E] = {"execve",
1895 EC_PROCESS | EC_SYSCALL,
1896 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1897 1,
1898 {{"filename", PT_FSPATH, PF_NA}}},
1899 [PPME_SYSCALL_EXECVE_18_X] = {"execve",
1900 EC_PROCESS | EC_SYSCALL,
1901 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1902 17,
1903 {{"res", PT_ERRNO, PF_DEC},
1904 {"exe", PT_CHARBUF, PF_NA},
1905 {"args", PT_BYTEBUF, PF_NA},
1906 {"tid", PT_PID, PF_DEC},
1907 {"pid", PT_PID, PF_DEC},
1908 {"ptid", PT_PID, PF_DEC},
1909 {"cwd", PT_CHARBUF, PF_NA},
1910 {"fdlimit", PT_UINT64, PF_DEC},
1911 {"pgft_maj", PT_UINT64, PF_DEC},
1912 {"pgft_min", PT_UINT64, PF_DEC},
1913 {"vm_size", PT_UINT32, PF_DEC},
1914 {"vm_rss", PT_UINT32, PF_DEC},
1915 {"vm_swap", PT_UINT32, PF_DEC},
1916 {"comm", PT_CHARBUF, PF_NA},
1917 {"cgroups", PT_BYTEBUF, PF_NA},
1918 {"env", PT_BYTEBUF, PF_NA},
1919 {"tty", PT_INT32, PF_DEC}}},
1920 [PPME_PAGE_FAULT_E] = {"page_fault",
1921 EC_OTHER | EC_TRACEPOINT,
1922 EF_SKIPPARSERESET,
1923 3,
1924 {{"addr", PT_UINT64, PF_HEX},
1925 {"ip", PT_UINT64, PF_HEX},
1926 {"error", PT_FLAGS32, PF_HEX, pf_flags}}},
1927 [PPME_PAGE_FAULT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
1928 [PPME_SYSCALL_EXECVE_19_E] = {"execve",
1929 EC_PROCESS | EC_SYSCALL,
1930 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1931 1,
1932 {{"filename", PT_FSPATH, PF_NA}}},
1933 [PPME_SYSCALL_EXECVE_19_X] = {"execve",
1934 EC_PROCESS | EC_SYSCALL,
1935 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
1936 30,
1937 {{"res", PT_ERRNO, PF_DEC},
1938 {"exe", PT_CHARBUF, PF_NA},
1939 {"args", PT_BYTEBUF, PF_NA},
1940 {"tid", PT_PID, PF_DEC},
1941 {"pid", PT_PID, PF_DEC},
1942 {"ptid", PT_PID, PF_DEC},
1943 {"cwd", PT_CHARBUF, PF_NA},
1944 {"fdlimit", PT_UINT64, PF_DEC},
1945 {"pgft_maj", PT_UINT64, PF_DEC},
1946 {"pgft_min", PT_UINT64, PF_DEC},
1947 {"vm_size", PT_UINT32, PF_DEC},
1948 {"vm_rss", PT_UINT32, PF_DEC},
1949 {"vm_swap", PT_UINT32, PF_DEC},
1950 {"comm", PT_CHARBUF, PF_NA},
1951 {"cgroups", PT_BYTEBUF, PF_NA},
1952 {"env", PT_BYTEBUF, PF_NA},
1953 {"tty", PT_UINT32, PF_DEC},
1954 {"vpgid", PT_PID, PF_DEC},
1955 {"loginuid", PT_UID, PF_DEC},
1956 {"flags", PT_FLAGS32, PF_HEX, execve_flags},
1957 {"cap_inheritable", PT_UINT64, PF_HEX},
1958 {"cap_permitted", PT_UINT64, PF_HEX},
1959 {"cap_effective", PT_UINT64, PF_HEX},
1960 {"exe_ino", PT_UINT64, PF_DEC},
1961 {"exe_ino_ctime", PT_ABSTIME, PF_DEC},
1962 {"exe_ino_mtime", PT_ABSTIME, PF_DEC},
1963 {"uid", PT_UID, PF_DEC},
1964 {"trusted_exepath", PT_FSPATH, PF_NA},
1965 {"pgid", PT_PID, PF_NA},
1966 {"gid", PT_GID, PF_DEC}}},
1967 [PPME_SYSCALL_SETPGID_E] = {"setpgid",
1968 EC_PROCESS | EC_SYSCALL,
1969 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1970 2,
1971 {{"pid", PT_PID, PF_DEC}, {"pgid", PT_PID, PF_DEC}}},
1972 [PPME_SYSCALL_SETPGID_X] = {"setpgid",
1973 EC_PROCESS | EC_SYSCALL,
1974 EF_CONVERTER_MANAGED,
1975 3,
1976 {{"res", PT_ERRNO, PF_DEC},
1977 {"pid", PT_PID, PF_DEC},
1978 {"pgid", PT_PID, PF_DEC}}},
1979 [PPME_SYSCALL_BPF_E] = {"bpf",
1980 EC_OTHER | EC_SYSCALL,
1981 EF_OLD_VERSION | EF_CREATES_FD | EF_CONVERTER_MANAGED,
1982 1,
1983 {{"cmd", PT_INT64, PF_DEC}}},
1984 [PPME_SYSCALL_BPF_X] =
1985 {"bpf",
1986 EC_OTHER | EC_SYSCALL,
1987 EF_OLD_VERSION | EF_CREATES_FD | EF_CONVERTER_MANAGED,
1988 1,
1989 {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX}}},
1990 [PPME_SYSCALL_SECCOMP_E] = {"seccomp",
1991 EC_OTHER | EC_SYSCALL,
1992 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
1993 2,
1994 {{"op", PT_UINT64, PF_DEC}, {"flags", PT_UINT64, PF_HEX}}},
1995 [PPME_SYSCALL_SECCOMP_X] = {"seccomp",
1996 EC_OTHER | EC_SYSCALL,
1997 EF_CONVERTER_MANAGED,
1998 3,
1999 {{"res", PT_ERRNO, PF_DEC},
2000 {"op", PT_UINT64, PF_DEC},
2001 {"flags", PT_UINT64, PF_HEX}}},
2002 [PPME_SYSCALL_UNLINK_2_E] = {"unlink", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2003 [PPME_SYSCALL_UNLINK_2_X] = {"unlink",
2004 EC_FILE | EC_SYSCALL,
2005 EF_NONE,
2006 2,
2007 {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA}}},
2008 [PPME_SYSCALL_UNLINKAT_2_E] = {"unlinkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2009 [PPME_SYSCALL_UNLINKAT_2_X] = {"unlinkat",
2010 EC_FILE | EC_SYSCALL,
2011 EF_USES_FD,
2012 4,
2013 {{"res", PT_ERRNO, PF_DEC},
2014 {"dirfd", PT_FD, PF_DEC},
2015 {"name", PT_FSRELPATH, PF_NA, 1},
2016 {"flags", PT_FLAGS32, PF_HEX, unlinkat_flags}}},
2017 [PPME_SYSCALL_MKDIRAT_E] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2018 [PPME_SYSCALL_MKDIRAT_X] = {"mkdirat",
2019 EC_FILE | EC_SYSCALL,
2020 EF_USES_FD,
2021 4,
2022 {{"res", PT_ERRNO, PF_DEC},
2023 {"dirfd", PT_FD, PF_DEC},
2024 {"path", PT_FSRELPATH, PF_NA, 1},
2025 {"mode", PT_UINT32, PF_HEX}}},
2026 [PPME_SYSCALL_OPENAT_2_E] = {"openat",
2027 EC_FILE | EC_SYSCALL,
2028 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2029 4,
2030 {{"dirfd", PT_FD, PF_DEC},
2031 {"name", PT_FSRELPATH, PF_NA, 0},
2032 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2033 {"mode", PT_UINT32, PF_OCT}}},
2034 [PPME_SYSCALL_OPENAT_2_X] = {"openat",
2035 EC_FILE | EC_SYSCALL,
2036 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2037 7,
2038 {{"fd", PT_FD, PF_DEC},
2039 {"dirfd", PT_FD, PF_DEC},
2040 {"name", PT_FSRELPATH, PF_NA, 1},
2041 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2042 {"mode", PT_UINT32, PF_OCT},
2043 {"dev", PT_UINT32, PF_HEX},
2044 {"ino", PT_UINT64, PF_DEC}}},
2045 [PPME_SYSCALL_LINK_2_E] = {"link", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2046 [PPME_SYSCALL_LINK_2_X] = {"link",
2047 EC_FILE | EC_SYSCALL,
2048 EF_NONE,
2049 3,
2050 {{"res", PT_ERRNO, PF_DEC},
2051 {"oldpath", PT_FSPATH, PF_NA},
2052 {"newpath", PT_FSPATH, PF_NA}}},
2053 [PPME_SYSCALL_LINKAT_2_E] = {"linkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2054 [PPME_SYSCALL_LINKAT_2_X] = {"linkat",
2055 EC_FILE | EC_SYSCALL,
2056 EF_NONE,
2057 6,
2058 {{"res", PT_ERRNO, PF_DEC},
2059 {"olddir", PT_FD, PF_DEC},
2060 {"oldpath", PT_FSRELPATH, PF_NA, 1},
2061 {"newdir", PT_FD, PF_DEC},
2062 {"newpath", PT_FSRELPATH, PF_NA, 3},
2063 {"flags", PT_FLAGS32, PF_HEX, linkat_flags}}},
2064 [PPME_SYSCALL_FCHMODAT_E] = {"fchmodat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2065 [PPME_SYSCALL_FCHMODAT_X] = {"fchmodat",
2066 EC_FILE | EC_SYSCALL,
2067 EF_USES_FD,
2068 4,
2069 {{"res", PT_ERRNO, PF_DEC},
2070 {"dirfd", PT_FD, PF_DEC},
2071 {"filename", PT_FSRELPATH, PF_NA, 1},
2072 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
2073 [PPME_SYSCALL_CHMOD_E] = {"chmod", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2074 [PPME_SYSCALL_CHMOD_X] = {"chmod",
2075 EC_FILE | EC_SYSCALL,
2076 EF_NONE,
2077 3,
2078 {{"res", PT_ERRNO, PF_DEC},
2079 {"filename", PT_FSPATH, PF_NA},
2080 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
2081 [PPME_SYSCALL_FCHMOD_E] = {"fchmod", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2082 [PPME_SYSCALL_FCHMOD_X] = {"fchmod",
2083 EC_FILE | EC_SYSCALL,
2084 EF_USES_FD,
2085 3,
2086 {{"res", PT_ERRNO, PF_DEC},
2087 {"fd", PT_FD, PF_DEC},
2088 {"mode", PT_MODE, PF_OCT, chmod_mode}}},
2089 [PPME_SYSCALL_RENAMEAT2_E] = {"renameat2", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2090 [PPME_SYSCALL_RENAMEAT2_X] = {"renameat2",
2091 EC_FILE | EC_SYSCALL,
2092 EF_NONE,
2093 6,
2094 {{"res", PT_ERRNO, PF_DEC},
2095 {"olddirfd", PT_FD, PF_DEC},
2096 {"oldpath", PT_FSRELPATH, PF_NA, 1},
2097 {"newdirfd", PT_FD, PF_DEC},
2098 {"newpath", PT_FSRELPATH, PF_NA, 3},
2099 {"flags", PT_FLAGS32, PF_HEX, renameat2_flags}}},
2100 [PPME_SYSCALL_USERFAULTFD_E] = {"userfaultfd",
2101 EC_FILE | EC_SYSCALL,
2102 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2103 0},
2104 [PPME_SYSCALL_USERFAULTFD_X] = {"userfaultfd",
2105 EC_FILE | EC_SYSCALL,
2106 EF_CREATES_FD | EF_MODIFIES_STATE,
2107 2,
2108 {{"res", PT_ERRNO, PF_DEC},
2109 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
2110 [PPME_PLUGINEVENT_E] = {"pluginevent",
2111 EC_OTHER | EC_PLUGIN,
2112 EF_LARGE_PAYLOAD,
2113 2,
2114 {{"plugin_id", PT_UINT32, PF_DEC},
2115 {"event_data", PT_BYTEBUF, PF_NA}}},
2116 [PPME_PLUGINEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2117 [PPME_CONTAINER_JSON_2_E] =
2118 {"container",
2119 EC_PROCESS | EC_METAEVENT,
2120 EF_MODIFIES_STATE | EF_LARGE_PAYLOAD,
2121 1,
2122 {{"json", PT_CHARBUF, PF_NA}}},
2123 [PPME_CONTAINER_JSON_2_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2124 [PPME_SYSCALL_OPENAT2_E] = {"openat2",
2125 EC_FILE | EC_SYSCALL,
2126 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2127 5,
2128 {{"dirfd", PT_FD, PF_DEC},
2129 {"name", PT_FSRELPATH, PF_NA, 0},
2130 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2131 {"mode", PT_UINT32, PF_OCT},
2132 {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}}},
2133 [PPME_SYSCALL_OPENAT2_X] = {"openat2",
2134 EC_FILE | EC_SYSCALL,
2135 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2136 8,
2137 {{"fd", PT_FD, PF_DEC},
2138 {"dirfd", PT_FD, PF_DEC},
2139 {"name", PT_FSRELPATH, PF_NA, 1},
2140 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2141 {"mode", PT_UINT32, PF_OCT},
2142 {"resolve", PT_FLAGS32, PF_HEX, openat2_flags},
2143 {"dev", PT_UINT32, PF_HEX},
2144 {"ino", PT_UINT64, PF_DEC}}},
2145 [PPME_SYSCALL_MPROTECT_E] = {"mprotect",
2146 EC_MEMORY | EC_SYSCALL,
2147 EF_OLD_VERSION | EF_CONVERTER_MANAGED,
2148 3,
2149 {{"addr", PT_UINT64, PF_HEX},
2150 {"length", PT_UINT64, PF_DEC},
2151 {"prot", PT_FLAGS32, PF_HEX, prot_flags}}},
2152 [PPME_SYSCALL_MPROTECT_X] = {"mprotect",
2153 EC_MEMORY | EC_SYSCALL,
2154 EF_CONVERTER_MANAGED,
2155 4,
2156 {{"res", PT_ERRNO, PF_DEC},
2157 {"addr", PT_UINT64, PF_HEX},
2158 {"length", PT_UINT64, PF_DEC},
2159 {"prot", PT_FLAGS32, PF_HEX, prot_flags}}},
2160 [PPME_SYSCALL_EXECVEAT_E] = {"execveat",
2161 EC_PROCESS | EC_SYSCALL,
2162 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2163 3,
2164 {{"dirfd", PT_FD, PF_DEC},
2165 {"pathname", PT_FSRELPATH, PF_NA, 0},
2166 {"flags", PT_FLAGS32, PF_HEX, execveat_flags}}},
2167 [PPME_SYSCALL_EXECVEAT_X] = {"execveat",
2168 EC_PROCESS | EC_SYSCALL,
2169 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2170 30,
2171 {{"res", PT_ERRNO, PF_DEC},
2172 {"exe", PT_CHARBUF, PF_NA},
2173 {"args", PT_BYTEBUF, PF_NA},
2174 {"tid", PT_PID, PF_DEC},
2175 {"pid", PT_PID, PF_DEC},
2176 {"ptid", PT_PID, PF_DEC},
2177 {"cwd", PT_CHARBUF, PF_NA},
2178 {"fdlimit", PT_UINT64, PF_DEC},
2179 {"pgft_maj", PT_UINT64, PF_DEC},
2180 {"pgft_min", PT_UINT64, PF_DEC},
2181 {"vm_size", PT_UINT32, PF_DEC},
2182 {"vm_rss", PT_UINT32, PF_DEC},
2183 {"vm_swap", PT_UINT32, PF_DEC},
2184 {"comm", PT_CHARBUF, PF_NA},
2185 {"cgroups", PT_BYTEBUF, PF_NA},
2186 {"env", PT_BYTEBUF, PF_NA},
2187 {"tty", PT_UINT32, PF_DEC},
2188 {"vpgid", PT_PID, PF_DEC},
2189 {"loginuid", PT_UID, PF_DEC},
2190 {"flags", PT_FLAGS32, PF_HEX, execve_flags},
2191 {"cap_inheritable", PT_UINT64, PF_HEX},
2192 {"cap_permitted", PT_UINT64, PF_HEX},
2193 {"cap_effective", PT_UINT64, PF_HEX},
2194 {"exe_ino", PT_UINT64, PF_DEC},
2195 {"exe_ino_ctime", PT_ABSTIME, PF_DEC},
2196 {"exe_ino_mtime", PT_ABSTIME, PF_DEC},
2197 {"uid", PT_UID, PF_DEC},
2198 {"trusted_exepath", PT_FSPATH, PF_NA},
2199 {"pgid", PT_PID, PF_NA},
2200 {"gid", PT_GID, PF_DEC}}},
2201 [PPME_SYSCALL_COPY_FILE_RANGE_E] = {"copy_file_range",
2202 EC_FILE | EC_SYSCALL,
2203 EF_OLD_VERSION | EF_USES_FD | EF_READS_FROM_FD |
2204 EF_WRITES_TO_FD | EF_CONVERTER_MANAGED,
2205 3,
2206 {{"fdin", PT_FD, PF_DEC},
2207 {"offin", PT_UINT64, PF_DEC},
2208 {"len", PT_UINT64, PF_DEC}}},
2209 [PPME_SYSCALL_COPY_FILE_RANGE_X] = {"copy_file_range",
2210 EC_FILE | EC_SYSCALL,
2211 EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD |
2212 EF_CONVERTER_MANAGED,
2213 6,
2214 {{"res", PT_ERRNO, PF_DEC},
2215 {"fdout", PT_FD, PF_DEC},
2216 {"offout", PT_UINT64, PF_DEC},
2217 {"fdin", PT_FD, PF_DEC},
2218 {"offin", PT_UINT64, PF_DEC},
2219 {"len", PT_UINT64, PF_DEC}}},
2220 [PPME_SYSCALL_CLONE3_E] = {"clone3",
2221 EC_PROCESS | EC_SYSCALL,
2222 EF_OLD_VERSION | EF_MODIFIES_STATE,
2223 0},
2224 [PPME_SYSCALL_CLONE3_X] = {"clone3",
2225 EC_PROCESS | EC_SYSCALL,
2226 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2227 21,
2228 {{"res", PT_PID, PF_DEC},
2229 {"exe", PT_CHARBUF, PF_NA},
2230 {"args", PT_BYTEBUF, PF_NA},
2231 {"tid", PT_PID, PF_DEC},
2232 {"pid", PT_PID, PF_DEC},
2233 {"ptid", PT_PID, PF_DEC},
2234 {"cwd", PT_CHARBUF, PF_NA},
2235 {"fdlimit", PT_INT64, PF_DEC},
2236 {"pgft_maj", PT_UINT64, PF_DEC},
2237 {"pgft_min", PT_UINT64, PF_DEC},
2238 {"vm_size", PT_UINT32, PF_DEC},
2239 {"vm_rss", PT_UINT32, PF_DEC},
2240 {"vm_swap", PT_UINT32, PF_DEC},
2241 {"comm", PT_CHARBUF, PF_NA},
2242 {"cgroups", PT_BYTEBUF, PF_NA},
2243 {"flags", PT_FLAGS32, PF_HEX, clone_flags},
2244 {"uid", PT_UINT32, PF_DEC},
2245 {"gid", PT_UINT32, PF_DEC},
2246 {"vtid", PT_PID, PF_DEC},
2247 {"vpid", PT_PID, PF_DEC},
2248 {"pidns_init_start_ts", PT_UINT64, PF_DEC}}},
2249 [PPME_SYSCALL_OPEN_BY_HANDLE_AT_E] = {"open_by_handle_at",
2250 EC_FILE | EC_SYSCALL,
2251 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2252 0},
2253 [PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at",
2254 EC_FILE | EC_SYSCALL,
2255 EF_CREATES_FD | EF_MODIFIES_STATE,
2256 6,
2257 {{"fd", PT_FD, PF_DEC},
2258 {"mountfd", PT_FD, PF_DEC},
2259 {"flags", PT_FLAGS32, PF_HEX, file_flags},
2260 {"path", PT_FSPATH, PF_NA},
2261 {"dev", PT_UINT32, PF_HEX},
2262 {"ino", PT_UINT64, PF_DEC}}},
2263 [PPME_SYSCALL_IO_URING_SETUP_E] = {"io_uring_setup",
2264 EC_IO_OTHER | EC_SYSCALL,
2265 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2266 0},
2267 [PPME_SYSCALL_IO_URING_SETUP_X] =
2268 {"io_uring_setup",
2269 EC_IO_OTHER | EC_SYSCALL,
2270 EF_CREATES_FD | EF_MODIFIES_STATE,
2271 8,
2272 {{"res", PT_ERRNO, PF_DEC},
2273 {"entries", PT_UINT32, PF_DEC},
2274 {"sq_entries", PT_UINT32, PF_DEC},
2275 {"cq_entries", PT_UINT32, PF_DEC},
2276 {"flags", PT_FLAGS32, PF_HEX, io_uring_setup_flags},
2277 {"sq_thread_cpu", PT_UINT32, PF_DEC},
2278 {"sq_thread_idle", PT_UINT32, PF_DEC},
2279 {"features", PT_FLAGS32, PF_HEX, io_uring_setup_feats}}},
2280 [PPME_SYSCALL_IO_URING_ENTER_E] = {"io_uring_enter",
2281 EC_IO_OTHER | EC_SYSCALL,
2282 EF_OLD_VERSION,
2283 0},
2284 [PPME_SYSCALL_IO_URING_ENTER_X] = {"io_uring_enter",
2285 EC_IO_OTHER | EC_SYSCALL,
2286 EF_USES_FD,
2287 6,
2288 {{"res", PT_ERRNO, PF_DEC},
2289 {"fd", PT_FD, PF_DEC},
2290 {"to_submit", PT_UINT32, PF_DEC},
2291 {"min_complete", PT_UINT32, PF_DEC},
2292 {"flags", PT_FLAGS32, PF_HEX, io_uring_enter_flags},
2293 {"sig", PT_SIGSET, PF_DEC}}},
2294 [PPME_SYSCALL_IO_URING_REGISTER_E] = {"io_uring_register",
2295 EC_IO_OTHER | EC_SYSCALL,
2296 EF_OLD_VERSION,
2297 0},
2298 [PPME_SYSCALL_IO_URING_REGISTER_X] =
2299 {"io_uring_register",
2300 EC_IO_OTHER | EC_SYSCALL,
2301 EF_USES_FD,
2302 5,
2303 {{"res", PT_ERRNO, PF_DEC},
2304 {"fd", PT_FD, PF_DEC},
2305 {"opcode", PT_ENUMFLAGS16, PF_DEC, io_uring_register_opcodes},
2306 {"arg", PT_UINT64, PF_HEX},
2307 {"nr_args", PT_UINT32, PF_DEC}}},
2308 [PPME_SYSCALL_MLOCK_E] = {"mlock", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2309 [PPME_SYSCALL_MLOCK_X] = {"mlock",
2310 EC_MEMORY | EC_SYSCALL,
2311 EF_NONE,
2312 3,
2313 {{"res", PT_ERRNO, PF_DEC},
2314 {"addr", PT_UINT64, PF_HEX},
2315 {"len", PT_UINT64, PF_DEC}}},
2316 [PPME_SYSCALL_MUNLOCK_E] = {"munlock", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2317 [PPME_SYSCALL_MUNLOCK_X] = {"munlock",
2318 EC_MEMORY | EC_SYSCALL,
2319 EF_NONE,
2320 3,
2321 {{"res", PT_ERRNO, PF_DEC},
2322 {"addr", PT_UINT64, PF_HEX},
2323 {"len", PT_UINT64, PF_DEC}}},
2324 [PPME_SYSCALL_MLOCKALL_E] = {"mlockall", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2325 [PPME_SYSCALL_MLOCKALL_X] = {"mlockall",
2326 EC_MEMORY | EC_SYSCALL,
2327 EF_NONE,
2328 2,
2329 {{"res", PT_ERRNO, PF_DEC},
2330 {"flags", PT_FLAGS32, PF_HEX, mlockall_flags}}},
2331 [PPME_SYSCALL_MUNLOCKALL_E] = {"munlockall", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2332 [PPME_SYSCALL_MUNLOCKALL_X] =
2333 {"munlockall", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
2334 [PPME_SYSCALL_CAPSET_E] = {"capset",
2335 EC_PROCESS | EC_SYSCALL,
2336 EF_OLD_VERSION | EF_MODIFIES_STATE,
2337 0},
2338 [PPME_SYSCALL_CAPSET_X] = {"capset",
2339 EC_PROCESS | EC_SYSCALL,
2340 EF_MODIFIES_STATE,
2341 4,
2342 {{"res", PT_ERRNO, PF_DEC},
2343 {"cap_inheritable", PT_UINT64, PF_HEX},
2344 {"cap_permitted", PT_UINT64, PF_HEX},
2345 {"cap_effective", PT_UINT64, PF_HEX}}},
2346 [PPME_USER_ADDED_E] = {"useradded",
2347 EC_PROCESS | EC_METAEVENT,
2348 EF_MODIFIES_STATE,
2349 6,
2350 {{"uid", PT_UINT32, PF_DEC},
2351 {"gid", PT_UINT32, PF_DEC},
2352 {"name", PT_CHARBUF, PF_NA},
2353 {"home", PT_CHARBUF, PF_NA},
2354 {"shell", PT_CHARBUF, PF_NA},
2355 {"container_id", PT_CHARBUF, PF_NA}}},
2356 [PPME_USER_ADDED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2357 [PPME_USER_DELETED_E] = {"userdeleted",
2358 EC_PROCESS | EC_METAEVENT,
2359 EF_MODIFIES_STATE,
2360 6,
2361 {{"uid", PT_UINT32, PF_DEC},
2362 {"gid", PT_UINT32, PF_DEC},
2363 {"name", PT_CHARBUF, PF_NA},
2364 {"home", PT_CHARBUF, PF_NA},
2365 {"shell", PT_CHARBUF, PF_NA},
2366 {"container_id", PT_CHARBUF, PF_NA}}},
2367 [PPME_USER_DELETED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2368 [PPME_GROUP_ADDED_E] = {"groupadded",
2369 EC_PROCESS | EC_METAEVENT,
2370 EF_MODIFIES_STATE,
2371 3,
2372 {{"gid", PT_UINT32, PF_DEC},
2373 {"name", PT_CHARBUF, PF_NA},
2374 {"container_id", PT_CHARBUF, PF_NA}}},
2375 [PPME_GROUP_ADDED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2376 [PPME_GROUP_DELETED_E] = {"groupdeleted",
2377 EC_PROCESS | EC_METAEVENT,
2378 EF_MODIFIES_STATE,
2379 3,
2380 {{"gid", PT_UINT32, PF_DEC},
2381 {"name", PT_CHARBUF, PF_NA},
2382 {"container_id", PT_CHARBUF, PF_NA}}},
2383 [PPME_GROUP_DELETED_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2384 [PPME_SYSCALL_DUP2_E] = {"dup2",
2385 EC_IO_OTHER | EC_SYSCALL,
2386 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2387 1,
2388 {{"fd", PT_FD, PF_DEC}}},
2389 [PPME_SYSCALL_DUP2_X] = {"dup2",
2390 EC_IO_OTHER | EC_SYSCALL,
2391 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2392 3,
2393 {{"res", PT_FD, PF_DEC},
2394 {"oldfd", PT_FD, PF_DEC},
2395 {"newfd", PT_FD, PF_DEC}}},
2396 [PPME_SYSCALL_DUP3_E] = {"dup3",
2397 EC_IO_OTHER | EC_SYSCALL,
2398 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2399 1,
2400 {{"fd", PT_FD, PF_DEC}}},
2401 [PPME_SYSCALL_DUP3_X] = {"dup3",
2402 EC_IO_OTHER | EC_SYSCALL,
2403 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2404 4,
2405 {{"res", PT_FD, PF_DEC},
2406 {"oldfd", PT_FD, PF_DEC},
2407 {"newfd", PT_FD, PF_DEC},
2408 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
2409 [PPME_SYSCALL_DUP_1_E] = {"dup",
2410 EC_IO_OTHER | EC_SYSCALL,
2411 EF_OLD_VERSION | EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2412 1,
2413 {{"fd", PT_FD, PF_DEC}}},
2414 [PPME_SYSCALL_DUP_1_X] = {"dup",
2415 EC_IO_OTHER | EC_SYSCALL,
2416 EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE,
2417 2,
2418 {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC}}},
2419 [PPME_SYSCALL_BPF_2_E] = {"bpf",
2420 EC_OTHER | EC_SYSCALL,
2421 EF_OLD_VERSION | EF_CREATES_FD,
2422 1,
2423 {{"cmd", PT_INT64, PF_DEC}}},
2424 [PPME_SYSCALL_BPF_2_X] = {"bpf",
2425 EC_OTHER | EC_SYSCALL,
2426 EF_CREATES_FD,
2427 2,
2428 {{"fd", PT_FD, PF_DEC},
2429 {"cmd", PT_ENUMFLAGS32, PF_DEC, bpf_commands}}},
2430 [PPME_SYSCALL_MLOCK2_E] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 0},
2431 [PPME_SYSCALL_MLOCK2_X] = {"mlock2",
2432 EC_MEMORY | EC_SYSCALL,
2433 EF_NONE,
2434 4,
2435 {{"res", PT_ERRNO, PF_DEC},
2436 {"addr", PT_UINT64, PF_HEX},
2437 {"len", PT_UINT64, PF_DEC},
2438 {"flags", PT_FLAGS32, PF_HEX, mlock2_flags}}},
2439 [PPME_SYSCALL_FSCONFIG_E] = {"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_OLD_VERSION, 0},
2440 [PPME_SYSCALL_FSCONFIG_X] = {"fsconfig",
2441 EC_SYSTEM | EC_SYSCALL,
2442 EF_USES_FD,
2443 7,
2444 {{"res", PT_ERRNO, PF_DEC},
2445 {"fd", PT_FD, PF_DEC},
2446 {"cmd", PT_ENUMFLAGS32, PF_DEC, fsconfig_cmds},
2447 {"key", PT_CHARBUF, PF_NA},
2448 {"value_bytebuf", PT_BYTEBUF, PF_NA},
2449 {"value_charbuf", PT_CHARBUF, PF_NA},
2450 {"aux", PT_INT32, PF_DEC}}},
2451 [PPME_SYSCALL_EPOLL_CREATE_E] = {"epoll_create",
2452 EC_WAIT | EC_SYSCALL,
2453 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2454 EF_CONVERTER_MANAGED,
2455 1,
2456 {{"size", PT_INT32, PF_DEC}}},
2457 [PPME_SYSCALL_EPOLL_CREATE_X] = {"epoll_create",
2458 EC_WAIT | EC_SYSCALL,
2459 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2460 2,
2461 {{"res", PT_ERRNO, PF_DEC}, {"size", PT_INT32, PF_DEC}}},
2462 [PPME_SYSCALL_EPOLL_CREATE1_E] = {"epoll_create1",
2463 EC_WAIT | EC_SYSCALL,
2464 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2465 EF_CONVERTER_MANAGED,
2466 1,
2467 {{"flags", PT_FLAGS32, PF_HEX, epoll_create1_flags}}},
2468 [PPME_SYSCALL_EPOLL_CREATE1_X] = {"epoll_create1",
2469 EC_WAIT | EC_SYSCALL,
2470 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2471 2,
2472 {{"res", PT_ERRNO, PF_DEC},
2473 {"flags", PT_FLAGS32, PF_HEX, epoll_create1_flags}}},
2474 [PPME_SYSCALL_CHOWN_E] = {"chown", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2475 [PPME_SYSCALL_CHOWN_X] = {"chown",
2476 EC_FILE | EC_SYSCALL,
2477 EF_NONE,
2478 4,
2479 {{"res", PT_ERRNO, PF_DEC},
2480 {"path", PT_FSPATH, PF_NA},
2481 {"uid", PT_UINT32, PF_DEC},
2482 {"gid", PT_UINT32, PF_DEC}}},
2483 [PPME_SYSCALL_LCHOWN_E] = {"lchown", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2484 [PPME_SYSCALL_LCHOWN_X] = {"lchown",
2485 EC_FILE | EC_SYSCALL,
2486 EF_NONE,
2487 4,
2488 {{"res", PT_ERRNO, PF_DEC},
2489 {"path", PT_FSPATH, PF_NA},
2490 {"uid", PT_UINT32, PF_DEC},
2491 {"gid", PT_UINT32, PF_DEC}}},
2492 [PPME_SYSCALL_FCHOWN_E] = {"fchown", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2493 [PPME_SYSCALL_FCHOWN_X] = {"fchown",
2494 EC_FILE | EC_SYSCALL,
2495 EF_USES_FD,
2496 4,
2497 {{"res", PT_ERRNO, PF_DEC},
2498 {"fd", PT_FD, PF_DEC},
2499 {"uid", PT_UINT32, PF_DEC},
2500 {"gid", PT_UINT32, PF_DEC}}},
2501 [PPME_SYSCALL_FCHOWNAT_E] = {"fchownat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2502 [PPME_SYSCALL_FCHOWNAT_X] = {"fchownat",
2503 EC_FILE | EC_SYSCALL,
2504 EF_USES_FD,
2505 6,
2506 {{"res", PT_ERRNO, PF_DEC},
2507 {"dirfd", PT_FD, PF_DEC},
2508 {"pathname", PT_FSRELPATH, PF_NA, 1},
2509 {"uid", PT_UINT32, PF_DEC},
2510 {"gid", PT_UINT32, PF_DEC},
2511 {"flags", PT_FLAGS32, PF_HEX, fchownat_flags}}},
2512 [PPME_SYSCALL_UMOUNT_1_E] = {"umount",
2513 EC_FILE | EC_SYSCALL,
2514 EF_OLD_VERSION | EF_MODIFIES_STATE,
2515 0},
2516 [PPME_SYSCALL_UMOUNT_1_X] = {"umount",
2517 EC_FILE | EC_SYSCALL,
2518 EF_MODIFIES_STATE,
2519 2,
2520 {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA}}},
2521 [PPME_SOCKET_ACCEPT4_6_E] = {"accept4",
2522 EC_NET | EC_SYSCALL,
2523 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2524 EF_CONVERTER_MANAGED,
2525 1,
2526 {{"flags", PT_INT32, PF_HEX}}},
2527 [PPME_SOCKET_ACCEPT4_6_X] = {"accept4",
2528 EC_NET | EC_SYSCALL,
2529 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2530 6,
2531 {{"fd", PT_FD, PF_DEC},
2532 {"tuple", PT_SOCKTUPLE, PF_NA},
2533 {"queuepct", PT_UINT8, PF_DEC},
2534 {"queuelen", PT_UINT32, PF_DEC},
2535 {"queuemax", PT_UINT32, PF_DEC},
2536 {"flags", PT_INT32, PF_HEX}}},
2537 [PPME_SYSCALL_UMOUNT2_E] = {"umount2",
2538 EC_FILE | EC_SYSCALL,
2539 EF_OLD_VERSION | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2540 1,
2541 {{"flags", PT_FLAGS32, PF_HEX, umount_flags}}},
2542 [PPME_SYSCALL_UMOUNT2_X] = {"umount2",
2543 EC_FILE | EC_SYSCALL,
2544 EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2545 3,
2546 {{"res", PT_ERRNO, PF_DEC},
2547 {"name", PT_FSPATH, PF_NA},
2548 {"flags", PT_FLAGS32, PF_HEX, umount_flags}}},
2549 [PPME_SYSCALL_PIPE2_E] = {"pipe2",
2550 EC_IPC | EC_SYSCALL,
2551 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2552 0},
2553 [PPME_SYSCALL_PIPE2_X] = {"pipe2",
2554 EC_IPC | EC_SYSCALL,
2555 EF_CREATES_FD | EF_MODIFIES_STATE,
2556 5,
2557 {{"res", PT_ERRNO, PF_DEC},
2558 {"fd1", PT_FD, PF_DEC},
2559 {"fd2", PT_FD, PF_DEC},
2560 {"ino", PT_UINT64, PF_DEC},
2561 {"flags", PT_FLAGS32, PF_HEX, file_flags}}},
2562 [PPME_SYSCALL_INOTIFY_INIT1_E] = {"inotify_init1",
2563 EC_IPC | EC_SYSCALL,
2564 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2565 0},
2566 [PPME_SYSCALL_INOTIFY_INIT1_X] = {"inotify_init1",
2567 EC_IPC | EC_SYSCALL,
2568 EF_CREATES_FD | EF_MODIFIES_STATE,
2569 2,
2570 {{"res", PT_FD, PF_DEC},
2571 {"flags", PT_FLAGS16, PF_HEX, file_flags}}},
2572 [PPME_SYSCALL_EVENTFD2_E] = {"eventfd2",
2573 EC_IPC | EC_SYSCALL,
2574 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2575 EF_CONVERTER_MANAGED,
2576 1,
2577 {{"initval", PT_UINT64, PF_DEC}}},
2578 [PPME_SYSCALL_EVENTFD2_X] = {"eventfd2",
2579 EC_IPC | EC_SYSCALL,
2580 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2581 3,
2582 {{"res", PT_FD, PF_DEC},
2583 {"flags", PT_FLAGS16, PF_HEX, file_flags},
2584 {"initval", PT_UINT64, PF_DEC}}},
2585 [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4",
2586 EC_SIGNAL | EC_SYSCALL,
2587 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE |
2588 EF_CONVERTER_MANAGED,
2589 2,
2590 {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}},
2591 [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4",
2592 EC_SIGNAL | EC_SYSCALL,
2593 EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
2594 4,
2595 {{"res", PT_FD, PF_DEC},
2596 {"flags", PT_FLAGS16, PF_HEX, file_flags},
2597 {"fd", PT_FD, PF_DEC},
2598 {"mask", PT_UINT32, PF_HEX}}},
2599 [PPME_SYSCALL_PRCTL_E] = {"prctl",
2600 EC_PROCESS | EC_SYSCALL,
2601 EF_OLD_VERSION | EF_MODIFIES_STATE,
2602 0},
2603 [PPME_SYSCALL_PRCTL_X] = {"prctl",
2604 EC_PROCESS | EC_SYSCALL,
2605 EF_MODIFIES_STATE,
2606 4,
2607 {{"res", PT_ERRNO, PF_DEC},
2608 {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options},
2609 {"arg2_str", PT_CHARBUF, PF_NA},
2610 {"arg2_int", PT_INT64, PF_DEC}}},
2611 [PPME_ASYNCEVENT_E] = {"asyncevent",
2612 EC_OTHER | EC_METAEVENT,
2613 EF_LARGE_PAYLOAD,
2614 3,
2615 {{"plugin_id", PT_UINT32, PF_DEC},
2616 {"name", PT_CHARBUF, PF_NA},
2617 {"data", PT_BYTEBUF, PF_NA}}},
2618 [PPME_ASYNCEVENT_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
2619 [PPME_SYSCALL_MEMFD_CREATE_E] = {"memfd_create",
2620 EC_MEMORY | EC_SYSCALL,
2621 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2622 0},
2623 [PPME_SYSCALL_MEMFD_CREATE_X] = {"memfd_create",
2624 EC_MEMORY | EC_SYSCALL,
2625 EF_CREATES_FD | EF_MODIFIES_STATE,
2626 3,
2627 {{"fd", PT_FD, PF_DEC},
2628 {"name", PT_CHARBUF, PF_NA},
2629 {"flags", PT_FLAGS32, PF_HEX, memfd_create_flags}}},
2630 [PPME_SYSCALL_PIDFD_GETFD_E] = {"pidfd_getfd",
2631 EC_PROCESS | EC_SYSCALL,
2632 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2633 0},
2634 [PPME_SYSCALL_PIDFD_GETFD_X] = {"pidfd_getfd",
2635 EC_PROCESS | EC_SYSCALL,
2636 EF_CREATES_FD | EF_MODIFIES_STATE,
2637 4,
2638 {{"fd", PT_FD, PF_DEC},
2639 {"pid_fd", PT_FD, PF_DEC},
2640 {"target_fd", PT_FD, PF_DEC},
2641 {"flags", PT_UINT32, PF_HEX}}},
2642 [PPME_SYSCALL_PIDFD_OPEN_E] = {"pidfd_open",
2643 EC_PROCESS | EC_SYSCALL,
2644 EF_OLD_VERSION | EF_CREATES_FD | EF_MODIFIES_STATE,
2645 0},
2646 [PPME_SYSCALL_PIDFD_OPEN_X] = {"pidfd_open",
2647 EC_PROCESS | EC_SYSCALL,
2648 EF_CREATES_FD | EF_MODIFIES_STATE,
2649 3,
2650 {{"fd", PT_FD, PF_DEC},
2651 {"pid", PT_PID, PF_DEC},
2652 {"flags", PT_FLAGS32, PF_HEX, pidfd_open_flags}}},
2653 [PPME_SYSCALL_INIT_MODULE_E] = {"init_module", EC_OTHER | EC_SYSCALL, EF_OLD_VERSION, 0},
2654 [PPME_SYSCALL_INIT_MODULE_X] = {"init_module",
2655 EC_OTHER | EC_SYSCALL,
2656 EF_NONE,
2657 4,
2658 {{"res", PT_ERRNO, PF_DEC},
2659 {"img", PT_BYTEBUF, PF_NA},
2660 {"length", PT_UINT64, PF_DEC},
2661 {"uargs", PT_CHARBUF, PF_NA}}},
2662 [PPME_SYSCALL_FINIT_MODULE_E] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_OLD_VERSION, 0},
2663 [PPME_SYSCALL_FINIT_MODULE_X] = {"finit_module",
2664 EC_OTHER | EC_SYSCALL,
2665 EF_USES_FD | EF_READS_FROM_FD,
2666 4,
2667 {{"res", PT_ERRNO, PF_DEC},
2668 {"fd", PT_FD, PF_DEC},
2669 {"uargs", PT_CHARBUF, PF_NA},
2670 {"flags", PT_FLAGS32, PF_HEX, finit_module_flags}}},
2671 [PPME_SYSCALL_MKNOD_E] = {"mknod", EC_OTHER | EC_SYSCALL, EF_OLD_VERSION, 0},
2672 [PPME_SYSCALL_MKNOD_X] = {"mknod",
2673 EC_OTHER | EC_SYSCALL,
2674 EF_NONE,
2675 4,
2676 {{"res", PT_ERRNO, PF_DEC},
2677 {"path", PT_FSPATH, PF_NA},
2678 {"mode", PT_MODE, PF_OCT, mknod_mode},
2679 {"dev", PT_UINT32, PF_DEC}}},
2680 [PPME_SYSCALL_MKNODAT_E] = {"mknodat", EC_OTHER | EC_SYSCALL, EF_OLD_VERSION, 0},
2681 [PPME_SYSCALL_MKNODAT_X] = {"mknodat",
2682 EC_OTHER | EC_SYSCALL,
2683 EF_USES_FD,
2684 5,
2685 {{"res", PT_ERRNO, PF_DEC},
2686 {"dirfd", PT_FD, PF_DEC},
2687 {"path", PT_FSRELPATH, PF_NA, 1},
2688 {"mode", PT_MODE, PF_OCT, mknod_mode},
2689 {"dev", PT_UINT32, PF_DEC}}},
2690 [PPME_SYSCALL_NEWFSTATAT_E] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
2691 [PPME_SYSCALL_NEWFSTATAT_X] = {"newfstatat",
2692 EC_FILE | EC_SYSCALL,
2693 EF_USES_FD,
2694 4,
2695 {{"res", PT_ERRNO, PF_DEC},
2696 {"dirfd", PT_FD, PF_DEC},
2697 {"path", PT_FSRELPATH, PF_NA, 1},
2698 {"flags", PT_FLAGS32, PF_HEX, newfstatat_flags}}},
2699 [PPME_SYSCALL_PROCESS_VM_READV_E] = {"process_vm_readv",
2700 EC_SYSCALL | EC_IPC,
2701 EF_OLD_VERSION,
2702 0},
2703 [PPME_SYSCALL_PROCESS_VM_READV_X] = {"process_vm_readv",
2704 EC_SYSCALL | EC_IPC,
2705 EF_NONE,
2706 3,
2707 {{"res", PT_INT64, PF_DEC},
2708 {"pid", PT_PID, PF_DEC},
2709 {"data", PT_BYTEBUF, PF_NA}}},
2710 [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = {"process_vm_writev",
2711 EC_SYSCALL | EC_IPC,
2712 EF_OLD_VERSION,
2713 0},
2714 [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev",
2715 EC_SYSCALL | EC_IPC,
2716 EF_NONE,
2717 3,
2718 {{"res", PT_INT64, PF_DEC},
2719 {"pid", PT_PID, PF_DEC},
2720 {"data", PT_BYTEBUF, PF_NA}}},
2721 [PPME_SYSCALL_DELETE_MODULE_E] = {"delete_module",
2722 EC_OTHER | EC_SYSCALL,
2723 EF_OLD_VERSION,
2724 0},
2725 [PPME_SYSCALL_DELETE_MODULE_X] = {"delete_module",
2726 EC_OTHER | EC_SYSCALL,
2727 EF_NONE,
2728 3,
2729 {{"res", PT_ERRNO, PF_DEC},
2730 {"name", PT_CHARBUF, PF_NA},
2731 {"flags", PT_FLAGS32, PF_HEX, delete_module_flags}}},
2732 [PPME_SYSCALL_SETREUID_E] = {"setreuid",
2733 EC_USER | EC_SYSCALL,
2734 EF_OLD_VERSION | EF_MODIFIES_STATE,
2735 0},
2736 [PPME_SYSCALL_SETREUID_X] = {"setreuid",
2737 EC_USER | EC_SYSCALL,
2738 EF_MODIFIES_STATE,
2739 3,
2740 {{"res", PT_ERRNO, PF_DEC},
2741 {"ruid", PT_UID, PF_DEC},
2742 {"euid", PT_UID, PF_DEC}}},
2743 [PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_OLD_VERSION, 0},
2744 [PPME_SYSCALL_SETREGID_X] = {"setregid",
2745 EC_USER | EC_SYSCALL,
2746 EF_MODIFIES_STATE,
2747 3,
2748 {{"res", PT_ERRNO, PF_DEC},
2749 {"rgid", PT_UID, PF_DEC},
2750 {"egid", PT_UID, PF_DEC}}},
2751}