root@master:/sys/kernel/debug/tracing/events# cat syscalls/sys_enter_openat/format
name: sys_enter_openat
ID: 651
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:int __syscall_nr; offset:8; size:4; signed:1;
field:int dfd; offset:16; size:8; signed:0;
field:const char * filename; offset:24; size:8; signed:0;
field:int flags; offset:32; size:8; signed:0;
field:umode_t mode; offset:40; size:8; signed:0;
print fmt: "dfd: 0x%08lx, filename: 0x%08lx, flags: 0x%08lx, mode: 0x%08lx", ((unsigned long)(REC->dfd)), ((unsigned long)(REC->filename)), ((unsigned long)(REC->flags)), ((unsigned long)(REC->mode))
how to know what prog type it is?
What you are looking at is the format for a tracepoint. It describes the structure of the context that will be passed to a potential BPF_PROG_TYPE_TRACEPOINT program if you were to attach it at this tracepoint. Tracepoint programs can only be attached to these pre-defined tracepoints in the kernel.
BPF_PROG_TYPE_RAW_TRACEPOINT programs can also attach at these same tracepoints but instead of getting the formatted context you will just get an array of 64-bit values representing the arguments. So you might have to do some additional work to parse them.
struct bpf_raw_tracepoint_args {
__u64 args[0];
};
BPF_PROG_TYPE_KPROBE programs can attach to at pretty much any function in the kernel. Exceptions are locations that are explicitly forbidden. But other factors like the inlining of functions can also make it hard to kprobe certain things. Like the raw tracepoint, you will not get any type information here, just raw register values and the ability to read the kernel memory within reason.