Skip to content

epoll_ctl

Intro

epoll_ctl - program the event filter for an epoll instance

Description

The epoll_ctl() system call is used to add, modify, or delete entries in an epoll instance's kernel struct associated with a file descriptor. An application creates an epoll instance using epoll_create1() and receives notification of I/O events through that instance.

For each file descriptor, the process can register multiple associated events along with a user-supplied file descriptor reference. The set of registered events and their associated user data for a given file descriptor can be changed using epoll_ctl().

Note that the epoll_ctl() system call does not generalize I/O event monitoring to other kinds of The epoll_wait() thread-safe system call. Objects like signals and timers - use different system calls to program these special kinds of events.

Arguments

  • epfd:int - epoll instance file descriptor
  • op:int[K] - operation code
  • fd:int[K] - file descriptor to be monitored
  • event:struct epoll_event*[K] - structure with epoll events

Available Tags

  • K - Originated from kernel-space.

Hooks

sys_epoll_ctl

Type

Kprobe + Kretprobe

Purpose

The purpose for hooking the sys_epoll_ctl kernel entry point is to trace the epoll_ctl system call and its arguments, as well as the return code.

sys_epoll_create1

Type

Kprobe

Purpose

The purpose for hooking the sys_epoll_create1 kernel entry point is to trace the epoll_create1 system call and its arguments, as well as the return code.

Example Use Case

The epoll_ctl system call can be used to add, modify, or delete entries in an epoll instance's kernel struct associated with a file descriptor. This can be useful for monitoring I/O on a large number of file descriptors. For example, an application can use epoll_ctl to monitor activity on a large number of sockets, and be alerted when one of the sockets has data ready to be read.

Issues

epoll_ctl does not generalize I/O event monitoring to other kinds of objects like signals and timers - use different system calls to program these special kinds of events.

  • epoll_create1 - creates an epoll instance
  • __x64_sys_epoll_pwait - waits for an I/O event on an epoll instance
  • epoll_wait - suspends the calling thread until an I/O event occurs on an epoll instance

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.