Add baseline pidfd_getfd tracepoint support

author: Paul Buetow <paul@buetow.org> 2026-02-23 10:40:36 +0200
committer: Paul Buetow <paul@buetow.org> 2026-02-23 10:40:36 +0200
commit: faeb28d0e0e8ad6b1ec1bbd7aa4d0db1f07013e5 (patch)
tree: 492e0efef9bb105e4f8a834d13c78d0d049344da /internal/c
parent: a1eb580aa5b80e913dc722ccf97e42c6987152e8 (diff)
2 files changed, 49 insertions, 2 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index 5917a85..06f8c39 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -127,7 +127,6 @@
 /// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related
 /// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related
 /// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related
-/// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related
 /// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related
 /// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related
 /// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related
@@ -481,6 +480,8 @@
 #define SYS_EXIT_FINIT_MODULE 402
 #define SYS_ENTER_SYSLOG 347
 #define SYS_EXIT_SYSLOG 346
+#define SYS_ENTER_PIDFD_GETFD 271
+#define SYS_EXIT_PIDFD_GETFD 270
 #define SYS_ENTER_MMAP 100
 #define SYS_EXIT_MMAP 99
 
@@ -5725,6 +5726,51 @@ int handle_sys_exit_syslog(struct trace_event_raw_sys_exit *ctx) {
     return 0;
 }
 
+/// sys_enter_pidfd_getfd is a struct fd_event
+SEC("tracepoint/syscalls/sys_enter_pidfd_getfd")
+int handle_sys_enter_pidfd_getfd(struct trace_event_raw_sys_enter *ctx) {
+    __u32 pid, tid;
+    if (filter(&pid, &tid))
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->event_type = ENTER_FD_EVENT;
+    ev->trace_id = SYS_ENTER_PIDFD_GETFD;
+    ev->pid = pid;
+    ev->tid = tid;
+    ev->time = bpf_ktime_get_boot_ns();
+    ev->fd = (__s32)ctx->args[0];
+
+    bpf_ringbuf_submit(ev, 0);
+    return 0;
+}
+
+/// sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED)
+SEC("tracepoint/syscalls/sys_exit_pidfd_getfd")
+int handle_sys_exit_pidfd_getfd(struct trace_event_raw_sys_exit *ctx) {
+    __u32 pid, tid;
+    if (filter(&pid, &tid))
+        return 0;
+
+    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->event_type = EXIT_RET_EVENT;
+    ev->trace_id = SYS_EXIT_PIDFD_GETFD;
+    ev->pid = pid;
+    ev->tid = tid;
+    ev->time = bpf_ktime_get_boot_ns();
+    ev->ret = ctx->ret;
+    ev->ret_type = UNCLASSIFIED;
+
+    bpf_ringbuf_submit(ev, 0);
+    return 0;
+}
+
 /// sys_enter_mmap is a struct fd_event
 SEC("tracepoint/syscalls/sys_enter_mmap")
 int handle_sys_enter_mmap(struct trace_event_raw_sys_enter *ctx) {
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index 87609e8..c18fec5 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -125,7 +125,6 @@ Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related
 Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related
 Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related
 Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related
-Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related
 Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related
 Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related
 Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related
@@ -329,6 +328,7 @@ sys_enter_open_tree is a struct open_event
 sys_enter_open_tree_attr is a struct open_event
 sys_enter_openat is a struct open_event
 sys_enter_openat2 is a struct open_event
+sys_enter_pidfd_getfd is a struct fd_event
 sys_enter_pread64 is a struct fd_event
 sys_enter_preadv is a struct fd_event
 sys_enter_preadv2 is a struct fd_event
@@ -445,6 +445,7 @@ sys_exit_open_tree is a struct ret_event (UNCLASSIFIED)
 sys_exit_open_tree_attr is a struct ret_event (UNCLASSIFIED)
 sys_exit_openat is a struct ret_event (UNCLASSIFIED)
 sys_exit_openat2 is a struct ret_event (UNCLASSIFIED)
+sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED)
 sys_exit_pread64 is a struct ret_event (READ_CLASSIFIED)
 sys_exit_preadv is a struct ret_event (READ_CLASSIFIED)
 sys_exit_preadv2 is a struct ret_event (READ_CLASSIFIED)
author	Paul Buetow <paul@buetow.org>	2026-02-23 10:40:36 +0200
committer	Paul Buetow <paul@buetow.org>	2026-02-23 10:40:36 +0200
commit	faeb28d0e0e8ad6b1ec1bbd7aa4d0db1f07013e5 (patch)
tree	492e0efef9bb105e4f8a834d13c78d0d049344da /internal/c
parent	a1eb580aa5b80e913dc722ccf97e42c6987152e8 (diff)