github.com/inspektor-gadget/inspektor-gadget@v0.28.1/pkg/gadgets/trace/exec/tracer/bpf/execsnoop.h

github.com/inspektor-gadget/inspektor-gadget@v0.28.1/pkg/gadgets/trace/exec/tracer/bpf/execsnoop.h (about)

     1  /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
     2  #ifndef __EXECSNOOP_H
     3  #define __EXECSNOOP_H
     4  
     5  #define ARGSIZE 128
     6  #define TASK_COMM_LEN 16
     7  #define TOTAL_MAX_ARGS 60
     8  #define DEFAULT_MAXARGS 20
     9  #define FULL_MAX_ARGS_ARR (TOTAL_MAX_ARGS * ARGSIZE)
    10  #define INVALID_UID ((uid_t)-1)
    11  #define BASE_EVENT_SIZE (size_t)(&((struct event *)0)->args)
    12  #define EVENT_SIZE(e) (BASE_EVENT_SIZE + e->args_size)
    13  #define LAST_ARG (FULL_MAX_ARGS_ARR - ARGSIZE)
    14  
    15  // this needs to be manually kept in sync with execsnoopEventAbbrev in tracer.go (without the args field)
    16  struct event {
    17  	__u64 mntns_id;
    18  	__u64 timestamp;
    19  	__u32 pid;
    20  	__u32 ppid;
    21  	__u32 uid;
    22  	__u32 gid;
    23  	__u32 loginuid;
    24  	__u32 sessionid;
    25  	int retval;
    26  	int args_count;
    27  	bool upper_layer;
    28  	unsigned int args_size;
    29  	__u8 comm[TASK_COMM_LEN];
    30  	__u8 pcomm[TASK_COMM_LEN];
    31  #ifdef WITH_LONG_PATHS
    32  	__u8 cwd[MAX_STRING_SIZE];
    33  	__u8 exepath[MAX_STRING_SIZE];
    34  #endif
    35  	__u8 args[FULL_MAX_ARGS_ARR];
    36  };
    37  
    38  #endif /* __EXECSNOOP_H */