eBPF : How to get syscall id using raw_tracepoint/sys_exit

Question

I’d like to use raw_tracepoint with libbpf to record syscalls . Is there any way to get syscall_id using bpf raw tracepoint program SEC("raw_tracepoint/sys_exit") ? I tried to search the documents about raw tracepoints and tracepoints, but I didn’t find any answer

score 0 · Answer 1 · answered Dec 30 '22 at 08:52

You can use btf raw tracepoint, with the syscall number saved in the 'orig_ax' register. You can use BPF_CORE_READ(regs, orig_ax) to read it.

SEC("tp_btf/sys_exit")
__s32 BPF_PROG(xm_btf_rtp__sys_exit, struct pt_regs *regs, __s64 ret) {
    pid_t pid = __xm_get_pid();
    __u32 tid = __xm_get_tid();
    __u64 delay_ns = 0;


    __s64 syscall_nr = BPF_CORE_READ(regs, orig_ax);

eBPF : How to get syscall id using raw_tracepoint/sys_exit

1 Answers1