epoll_ctl - program the event filter for an epoll instance
The epoll_ctl() system call is used to add, modify, or delete entries in an epoll instance's kernel struct associated with a file descriptor. An application creates an epoll instance using epoll_create1() and receives notification of I/O events through that instance.
For each file descriptor, the process can register multiple associated events along with a user-supplied file descriptor reference. The set of registered events and their associated user data for a given file descriptor can be changed using epoll_ctl().
Note that the epoll_ctl() system call does not generalize I/O event monitoring to other kinds of The epoll_wait() thread-safe system call. Objects like signals and timers - use different system calls to program these special kinds of events.
int- epoll instance file descriptor
int[K] - operation code
int[K] - file descriptor to be monitored
struct epoll_event*[K] - structure with epoll events
- K - Originated from kernel-space.
Kprobe + Kretprobe
The purpose for hooking the sys_epoll_ctl kernel entry point is to trace the epoll_ctl system call and its arguments, as well as the return code.
The purpose for hooking the sys_epoll_create1 kernel entry point is to trace the epoll_create1 system call and its arguments, as well as the return code.
Example Use Case¶
The epoll_ctl system call can be used to add, modify, or delete entries in an epoll instance's kernel struct associated with a file descriptor. This can be useful for monitoring I/O on a large number of file descriptors. For example, an application can use epoll_ctl to monitor activity on a large number of sockets, and be alerted when one of the sockets has data ready to be read.
epoll_ctl does not generalize I/O event monitoring to other kinds of objects like signals and timers - use different system calls to program these special kinds of events.
epoll_create1- creates an epoll instance
__x64_sys_epoll_pwait- waits for an I/O event on an epoll instance
epoll_wait- suspends the calling thread until an I/O event occurs on an epoll instance
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.