Add syscall-specific variants of BPF_KPROBE/BPF_KRETPROBE #425
Description
Syscalls, in actuality, have one input parameter, struct pt_regs * that contains register state that user-space passed into the syscall. So when someone just uses, say, BPF_KPROBE(my_prog, int fd) for tracing "__x64_sys_close", they are getting a garbage. It has to be something like this to get actual syscall input arguments:
SEC("kprobe/__x64_sys_close")
int BPF_KPROBE(do_sys_close, struct pt_regs *regs)
{
pid_t pid;
int fd;
fd = PT_REGS_PARM1_CORE(regs);
pid = bpf_get_current_pid_tgid() >> 32;
bpf_printk("KPROBE ENTRY pid = %d, fd = %d\n", pid, fd);
return 0;
}
So maybe let's have BPF_KPROBE_SYSCALL/BPF_KRETPROBE_SYSCALL macros that would do this additional pt_regs dereference step.