From c0d076c53b8d47cb14a6b255721098df8f67a7f6 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Wed, 6 Dec 2023 14:07:19 +0000 Subject: [PATCH] tetragon: Update list docs with syscall64 type And 32 bit syscalls. Signed-off-by: Jiri Olsa --- .../en/docs/concepts/tracing-policy/hooks.md | 42 +++++++++++++++++++ .../docs/concepts/tracing-policy/selectors.md | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/docs/content/en/docs/concepts/tracing-policy/hooks.md b/docs/content/en/docs/concepts/tracing-policy/hooks.md index 5641375326e..eeeeffea5bc 100644 --- a/docs/content/en/docs/concepts/tracing-policy/hooks.md +++ b/docs/content/en/docs/concepts/tracing-policy/hooks.md @@ -406,6 +406,24 @@ spec: - "sys_close" ``` +Syscalls specified with `sys_` prefix are translated to their 64 bit equivalent function names. + +It's possible to specify 32 bit syscall by using its full function name that +includes specific architecture native prefix (like `__ia32_` for `x86`): + +```yaml +spec: + lists: + - name: "dups" + type: "syscalls" + values: + - "sys_dup" + - "__ia32_sys_dup" + name: "another" + - "sys_open" + - "sys_close" +``` + Specific list can be referenced in kprobe's `call` field with `"list:NAME"` value. ```yaml @@ -520,3 +538,27 @@ spec: values: - "/usr/bin/kill" ``` + +Note that if syscall list is used in selector with InMap operator, the argument type needs to be `syscall64`, like. + +```yaml +spec: + lists: + - name: "dups" + type: "syscalls" + values: + - "sys_dup" + - "__ia32_sys_dup" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "syscall64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:dups" +``` diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md index e51bfc88ed5..517c7703ec2 100644 --- a/docs/content/en/docs/concepts/tracing-policy/selectors.md +++ b/docs/content/en/docs/concepts/tracing-policy/selectors.md @@ -1047,7 +1047,7 @@ spec: event: "sys_enter" args: - index: 4 - type: "uint64" + type: "syscall64" selectors: - matchArgs: - index: 0