tetragon: Update list docs with syscall64 type

And 32 bit syscalls. Signed-off-by: Jiri Olsa <[email protected]>
cilium · Dec 13, 2023 · c9ae738 · c9ae738
1 parent 4268eb4
commit c9ae738
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/docs/content/en/docs/concepts/tracing-policy/hooks.md b/docs/content/en/docs/concepts/tracing-policy/hooks.md
@@ -406,6 +406,24 @@ spec:
     - "sys_close"
 ```
 
+Syscalls specified with `sys_` prefix are translated to their 64 bit equivalent function names.
+
+It's possible to specify 32 bit syscall by using its full function name that
+includes specific architecture native prefix (like `__ia32_` for `x86`):
+
+```yaml
+spec:
+  lists:
+  - name: "dups"
+    type: "syscalls"
+    values:
+    - "sys_dup"
+    - "__ia32_sys_dup"
+    name: "another"
+    - "sys_open"
+    - "sys_close"
+```
+
 Specific list can be referenced in kprobe's `call` field with `"list:NAME"` value.
 
 ```yaml
@@ -520,3 +538,27 @@ spec:
         values:
         - "/usr/bin/kill"
 ```
+
+Note that if syscall list is used in selector with InMap operator, the argument type needs to be `syscall64`, like.
+
+```yaml
+spec:
+  lists:
+  - name: "dups"
+    type: "syscalls"
+    values:
+    - "sys_dup"
+    - "__ia32_sys_dup"
+  tracepoints:
+  - subsystem: "raw_syscalls"
+    event: "sys_enter"
+    args:
+    - index: 4
+      type: "syscall64"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "InMap"
+        values:
+        - "list:dups"
+```
diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md
@@ -1047,7 +1047,7 @@ spec:
     event: "sys_enter"
     args:
     - index: 4
-      type: "uint64"
+      type: "syscall64"
     selectors:
     - matchArgs:
       - index: 0