Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer

src/common/map_common.h

@@ -0,0 +1,23 @@
+#ifndef __MAP_COMMON_H
+#define __MAP_COMMON_H
+
+#define RB_EVENT_MAX_MESSAGE_SIZE 512
+
+
+// Ring buffer for kernel->user communication
+typedef enum {
+    INFO,
+    DEBUG,
+    EXIT,
+    ERROR
+} event_type_t;
+
+struct rb_event {
+	int pid;
+    char message[RB_EVENT_MAX_MESSAGE_SIZE];
+    int code;
+    event_type_t event_type;
+};
+
+
+#endif

src/common/map_defs.h

@@ -1,37 +0,0 @@
-#ifndef __MAP_DEFS_H
-#define __MAP_DEFS_H
-
-#define RB_EVENT_MAX_MESSAGE_SIZE 512
-
-// Ring buffer for kernel->user communication
-typedef enum {
-    INFO,
-    DEBUG,
-    EXIT,
-    ERROR
-} event_type_t;
-
-struct rb_event {
-	int pid;
-    char message[RB_EVENT_MAX_MESSAGE_SIZE];
-    int code;
-    event_type_t event_type;
-};
-
-//sched_process_exec tracepoint contents
-//now included in vmlinux
-/*struct trace_entry {
-	short unsigned int type;
-	unsigned char flags;
-	unsigned char preempt_count;
-	int pid;
-};
-struct trace_event_raw_sched_process_exec {
-	struct trace_entry ent;
-	unsigned int __data_loc_filename;
-	int pid;
-	int old_pid;
-	char __data[0];
-};*/
-
-#endif