in_ebpf: Add vfs trace

[cosmo0920]

VFS also provides eBPF entrypoints so we can provide this type of traces.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

$ sudo bin/fluent-bit -i ebpf -ptrace=trace_vfs -o stdout 

• Debug log output from testing the change

Fluent Bit v5.0.0
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _           _____  _____           _            
|  ___| |                | |   | ___ (_) |         |  ___||  _  |         | |           
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   _|___ \ | |/' |______ __| | _____   __
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / /   \ \|  /| |______/ _` |/ _ \ \ / /
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V //\__/ /\ |_/ /     | (_| |  __/\ V / 
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/ \____(_)\___/       \__,_|\___| \_/


[2026/03/17 14:19:46.866] [ info] Configuration:
[2026/03/17 14:19:46.866] [ info]  flush time     | 1.000000 seconds
[2026/03/17 14:19:46.866] [ info]  grace          | 5 seconds
[2026/03/17 14:19:46.866] [ info]  daemon         | 0
[2026/03/17 14:19:46.866] [ info] ___________
[2026/03/17 14:19:46.866] [ info]  inputs:
[2026/03/17 14:19:46.866] [ info]      ebpf
[2026/03/17 14:19:46.866] [ info] ___________
[2026/03/17 14:19:46.866] [ info]  filters:
[2026/03/17 14:19:46.866] [ info] ___________
[2026/03/17 14:19:46.866] [ info]  outputs:
[2026/03/17 14:19:46.866] [ info]      stdout.0
[2026/03/17 14:19:46.866] [ info] ___________
[2026/03/17 14:19:46.866] [ info]  collectors:
[2026/03/17 14:19:46.866] [ info] [fluent bit] version=5.0.0, commit=d758d4212e, pid=2490979
[2026/03/17 14:19:46.867] [debug] [engine] coroutine stack size: 24576 bytes (24.0K)
[2026/03/17 14:19:46.867] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2026/03/17 14:19:46.867] [ info] [simd    ] SSE2
[2026/03/17 14:19:46.867] [ info] [cmetrics] version=2.0.2
[2026/03/17 14:19:46.867] [ info] [ctraces ] version=0.7.0
[2026/03/17 14:19:46.867] [ info] [input:ebpf:ebpf.0] initializing
[2026/03/17 14:19:46.867] [ info] [input:ebpf:ebpf.0] storage_strategy='memory' (memory only)
[2026/03/17 14:19:46.867] [debug] [ebpf:ebpf.0] created event channels: read=21 write=22
[2026/03/17 14:19:46.867] [debug] [input:ebpf:ebpf.0] initializing eBPF input plugin
[2026/03/17 14:19:46.867] [debug] [input:ebpf:ebpf.0] processing trace: trace_vfs
[2026/03/17 14:19:46.867] [debug] [input:ebpf:ebpf.0] setting up trace configuration for: trace_vfs
[2026/03/17 14:19:46.888] [debug] [input:ebpf:ebpf.0] attaching BPF program for trace: trace_vfs
[2026/03/17 14:19:46.890] [debug] [input:ebpf:ebpf.0] registering trace handler for: trace_vfs
[2026/03/17 14:19:46.890] [ info] [input:ebpf:ebpf.0] registered trace handler for: trace_vfs
[2026/03/17 14:19:46.890] [ info] [input:ebpf:ebpf.0] trace configuration completed for: trace_vfs
[2026/03/17 14:19:46.890] [debug] [input:ebpf:ebpf.0] setting up collector with poll interval: 1000 ms
[2026/03/17 14:19:46.890] [ info] [input:ebpf:ebpf.0] eBPF input plugin initialized successfully
[2026/03/17 14:19:46.890] [debug] [stdout:stdout.0] created event channels: read=37 write=38
[2026/03/17 14:19:46.891] [ info] [sp] stream processor started
[2026/03/17 14:19:46.891] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2026/03/17 14:19:46.891] [ info] [output:stdout:stdout.0] worker #0 started
[2026/03/17 14:19:47.203] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/03/17 14:19:47.203] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_vfs
[2026/03/17 14:19:47.203] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_vfs
[2026/03/17 14:19:48.203] [debug] [task] created task=0x714da4070990 id=0 OK
[2026/03/17 14:19:48.203] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2026/03/17 14:19:48.203] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/03/17 14:19:48.203] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_vfs
[0] ebpf.0: [[1773724787.203364419, {}], {"event_type"=>"vfs", "pid"=>982, "tid"=>982, "comm"=>"iio-sensor-prox", "operation"=>0, "path"=>"/dev/iio:device5", "flags"=>2048, "mode"=>0, "fd"=>8, "error_raw"=>0}]
[1] ebpf.0: [[1773724787.203467824, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/proc/2487125/cgroup", "flags"=>524288, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[2] ebpf.0: [[1773724787.203479856, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/proc/1/cgroup", "flags"=>524288, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[3] ebpf.0: [[1773724787.203489011, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/proc/2487125/stat", "flags"=>524288, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[4] ebpf.0: [[1773724787.203497971, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/", "flags"=>2686976, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[5] ebpf.0: [[1773724787.203506275, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/", "flags"=>2686976, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[6] ebpf.0: [[1773724787.203514271, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/", "flags"=>2686976, "mode"=>0, "fd"=>26, "error_raw"=>0}]
[7] ebpf.0: [[1773724787.203522448, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"sys", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[8] ebpf.0: [[1773724787.203530298, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"class", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[9] ebpf.0: [[1773724787.203538071, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"backlight", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[10] ebpf.0: [[1773724787.203546552, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"intel_backlight", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[11] ebpf.0: [[1773724787.203554624, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"..", "flags"=>2818048, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[12] ebpf.0: [[1773724787.203562754, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"..", "flags"=>2818048, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[13] ebpf.0: [[1773724787.203570724, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"devices", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[14] ebpf.0: [[1773724787.203578495, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"pci0000:00", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[15] ebpf.0: [[1773724787.203586334, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"0000:00:02.0", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[16] ebpf.0: [[1773724787.203594098, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"drm", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[17] ebpf.0: [[1773724787.203601901, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"card1", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[18] ebpf.0: [[1773724787.203609786, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"card1-eDP-1", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[19] ebpf.0: [[1773724787.203617596, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"intel_backlight", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[20] ebpf.0: [[1773724787.203625391, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/proc/self/fd/22", "flags"=>2621696, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[21] ebpf.0: [[1773724787.203633258, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/sys/devices/pci0000:00/0000:00:02.0/drm/card1/card1-eDP-1/intel_backlight/uevent", "flags"=>524544, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[22] ebpf.0: [[1773724787.203641625, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/run/udev/data/+backlight:intel_backlight", "flags"=>524288, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[23] ebpf.0: [[1773724787.203649333, {}], {"event_type"=>"vfs", "pid"=>2490983, "tid"=>2490983, "comm"=>"(sd-bright)", "operation"=>0, "path"=>"/dev/null", "flags"=>524290, "mode"=>0, "fd"=>3, "error_raw"=>0}]
[24] ebpf.0: [[1773724787.203657159, {}], {"event_type"=>"vfs", "pid"=>2490983, "tid"=>2490983, "comm"=>"(sd-bright)", "operation"=>0, "path"=>"/sys/devices/pci0000:00/0000:00:02.0/drm/card1/card1-eDP-1/intel_backlight/brightness", "flags"=>655617, "mode"=>0, "fd"=>4, "error_raw"=>0}]
[25] ebpf.0: [[1773724787.203664982, {}], {"event_type"=>"vfs", "pid"=>1517883, "tid"=>1517883, "comm"=>"systemd-udevd", "operation"=>0, "path"=>"/run/udev/queue", "flags"=>2752512, "mode"=>0, "fd"=>-2, "error_raw"=>2}]
[26] ebpf.0: [[1773724787.203673033, {}], {"event_type"=>"vfs", "pid"=>1517883, "tid"=>1517883, "comm"=>"systemd-udevd", "operation"=>0, "path"=>"/run/udev/queue", "flags"=>524481, "mode"=>420, "fd"=>16, "error_raw"=>0}]
[27] ebpf.0: [[1773724787.203680813, {}], {"event_type"=>"vfs", "pid"=>2486417, "tid"=>2486417, "comm"=>"(udev-worker)", "operation"=>0, "path"=>"/run/udev/data/+backlight:intel_backlight", "flags"=>524288, "mode"=>0, "fd"=>18, "error_raw"=>0}]
[2026/03/17 14:19:48.204] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_vfs
[28] ebpf.0: [[1773724787.203688796, {}], {"event_type"=>"vfs", "pid"=>2486417, "tid"=>2486417, "comm"=>"(udev-worker)", "operation"=>0, "path"=>"/", "flags"=>2686976, "mode"=>0, "fd"=>18, "error_raw"=>0}]

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Added VFS event tracing (captures openat operations)
  • Captures operation details: path, flags, mode, file descriptor, and error info
  • Per-thread tracking and mount-namespace filtering to reduce noise

• Documentation

  • Updated configuration examples to include the new "vfs" trace option

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 58967fe1-6be0-4931-8087-b90a79b30f08

📥 Commits

Reviewing files that changed from the base of the PR and between d758d42 and 858f219.

📒 Files selected for processing (7)

• plugins/in_ebpf/in_ebpf.c
• plugins/in_ebpf/traces/includes/common/encoder.h
• plugins/in_ebpf/traces/includes/common/events.h
• plugins/in_ebpf/traces/traces.h
• plugins/in_ebpf/traces/vfs/bpf.c
• plugins/in_ebpf/traces/vfs/handler.c
• plugins/in_ebpf/traces/vfs/handler.h

✅ Files skipped from review due to trivial changes (3)

• plugins/in_ebpf/in_ebpf.c
• plugins/in_ebpf/traces/includes/common/encoder.h
• plugins/in_ebpf/traces/vfs/handler.h

---

📝 Walkthrough

Walkthrough

Adds VFS (openat) tracing: new event types and structs, eBPF programs to capture sys_enter/sys_exit_openat and emit events, and handler/encoder code to serialize and forward VFS events into Fluent Bit.

Changes

Cohort / File(s)	Summary
Event definitions & encoder plugins/in_ebpf/traces/includes/common/events.h, plugins/in_ebpf/traces/includes/common/encoder.h, plugins/in_ebpf/in_ebpf.c	Introduce EVENT_TYPE_VFS, VFS_PATH_MAX, enum vfs_op, struct vfs_event and add vfs to struct event union. Extend event_type_to_string() to return "vfs". Update user-facing Trace examples to include vfs.
Trace registration & headers plugins/in_ebpf/traces/traces.h, plugins/in_ebpf/traces/vfs/handler.h	Register trace_vfs in trace table, add trace_vfs skeleton accessor, and declare trace_vfs_handler and encode_vfs_event.
eBPF probe plugins/in_ebpf/traces/vfs/bpf.c	New eBPF program tracing sys_enter_openat / sys_exit_openat: captures filename, flags, mode, mntns filtering, stores per-thread args, builds and submits VFS events.
Userspace handler & encoder plugins/in_ebpf/traces/vfs/handler.c	Add encode_vfs_event() to serialize common + VFS-specific fields and trace_vfs_handler() to validate events and append encoded records to Fluent Bit input.

sequenceDiagram
    participant Kernel as Kernel
    participant eBPF as "eBPF Program\n(trace_vfs)"
    participant Handler as "VFS Handler\n(encode_vfs_event)"
    participant FluentBit as Fluent Bit

    Kernel->>eBPF: sys_enter_openat(filename, flags, mode)
    eBPF->>eBPF: store args in per-tid map

    Kernel->>eBPF: sys_exit_openat(ret)
    eBPF->>eBPF: lookup per-tid entry
    eBPF->>eBPF: build event (ts, pid, uid, gid, mntns, cmd, op, path, flags, mode, fd, error_raw)
    eBPF->>Handler: submit event buffer

    Handler->>Handler: validate event type/size
    Handler->>Handler: encode common fields
    Handler->>Handler: encode VFS fields (operation, path, flags, mode, fd, error_raw)
    Handler->>FluentBit: flb_input_log_append(encoded_record)
    Handler->>Handler: reset encoder

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I sniffed the kernel, caught a file’s cheer,
Openat footsteps hopping near,
From enter to exit the data I weave,
Paths and flags tucked in logs I leave,
A tiny rabbit, logging so clear.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding VFS trace support to the in_ebpf plugin. It matches the primary focus of the changeset across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cosmo0920-add-vfs-traces

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

plugins/in_ebpf/traces/vfs/handler.c (3)

10-12: Unused ins parameter.

The ins parameter is declared but never used in encode_vfs_event. Either remove it to match the actual interface needs, or use it for debug/error logging (e.g., flb_plg_debug(ins, ...)).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/vfs/handler.c` around lines 10 - 12, The parameter
`ins` in the function `encode_vfs_event` is unused; either remove `ins` from the
function signature and update all declarations/call sites (prototypes and
callers of `encode_vfs_event`) to match, or use it for diagnostic logging (e.g.,
call `flb_plg_debug(ins, ...)` inside `encode_vfs_event`) and keep the
parameter; ensure the chosen approach keeps function prototypes in headers and
callers consistent and rebuilds without unused-parameter warnings.

---

27-36: Consider encoding operation as a human-readable string.

The operation field is encoded as an int32 (the raw enum value). For consistency with event_type which is encoded as a string (e.g., "vfs"), consider encoding operation as "openat" rather than 0. This improves log readability without requiring downstream consumers to map enum values.

♻️ Example: Add operation-to-string helper

static inline const char *vfs_op_to_string(enum vfs_op op) {
    switch (op) {
        case VFS_OP_OPENAT: return "openat";
        default: return "unknown";
    }
}

Then use flb_log_event_encoder_append_body_cstring(log_encoder, vfs_op_to_string(ev->details.vfs.operation)).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/vfs/handler.c` around lines 27 - 36, Replace the
integer encoding of the VFS operation with a human-readable string: add a helper
function (e.g., vfs_op_to_string(enum vfs_op op)) that maps enum values (use
cases like VFS_OP_OPENAT) to strings, then call
flb_log_event_encoder_append_body_cstring(log_encoder,
vfs_op_to_string(ev->details.vfs.operation)) instead of
flb_log_event_encoder_append_body_int32; preserve the existing error handling by
checking the return for FLB_EVENT_ENCODER_SUCCESS and calling
flb_log_event_encoder_rollback_record(log_encoder) and returning -1 on failure.

---

101-106: Type aliasing via struct field ordering is fragile.

The cast of void *ctx to struct trace_event_context * is currently safe because flb_in_ebpf_context has ins and log_encoder as its first two fields in matching order. However, this design implicitly relies on struct field layout rather than explicit typing. If flb_in_ebpf_context fields are ever reordered, all handlers (signal, malloc, bind, vfs) will silently break.

Consider a wrapper function or type-safe callback mechanism to avoid this fragility.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/vfs/handler.c` around lines 101 - 106, The handler
currently casts void *ctx to struct trace_event_context in trace_vfs_handler,
relying on flb_in_ebpf_context and trace_event_context having matching
first-field layout (ins, log_encoder) which is fragile; change the callback API
or add a small, type-safe wrapper that accepts the real flb_in_ebpf_context* and
extracts/forwards a properly built struct trace_event_context (or provides
accessor functions for log_encoder) so handlers (trace_vfs_handler and the other
handlers: signal, malloc, bind) no longer perform unsafe casts; update handler
registrations to call the new wrapper/adapter so code uses explicit types
instead of relying on struct field ordering.

plugins/in_ebpf/traces/vfs/handler.h (1)

1-12: Header is not self-contained: missing type declarations.

The header declares encode_vfs_event with parameters of type struct flb_input_instance * and struct flb_log_event_encoder *, but neither type is forward-declared nor included. This could cause compilation errors if this header is included before the Fluent Bit headers.

Consider adding forward declarations:

♻️ Proposed fix to add forward declarations

 `#ifndef` VFS_HANDLER_H
 `#define` VFS_HANDLER_H
 
 `#include` <stddef.h>
 `#include` "common/events.h"
 
+struct flb_input_instance;
+struct flb_log_event_encoder;
+
 int trace_vfs_handler(void *ctx, void *data, size_t data_sz);
 int encode_vfs_event(struct flb_input_instance *ins,
                      struct flb_log_event_encoder *log_encoder,
                      const struct event *ev);
 
 `#endif`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/vfs/handler.h` around lines 1 - 12, The header
declares encode_vfs_event with parameters using struct flb_input_instance and
struct flb_log_event_encoder but does not forward-declare them or include their
headers; add forward declarations for "struct flb_input_instance;" and "struct
flb_log_event_encoder;" near the top of this header (before the prototype for
encode_vfs_event) so the declarations of trace_vfs_handler and encode_vfs_event
compile when this header is included independently.

plugins/in_ebpf/traces/includes/common/events.h (1)

8-8: Consider path truncation implications.

VFS_PATH_MAX = 256 is relatively small compared to the system PATH_MAX (typically 4096). Long paths will be truncated during bpf_probe_read_user_str. This is likely intentional to keep event size manageable in BPF ring buffers, but worth documenting or logging when truncation occurs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/includes/common/events.h` at line 8, VFS_PATH_MAX is
set to 256 which will cause long user paths to be truncated when read with
bpf_probe_read_user_str; update the implementation that reads paths (calls to
bpf_probe_read_user_str) to detect truncation by checking the returned length
and set a truncation indicator in the event (add or reuse a flag/field in the
event struct) or increase VFS_PATH_MAX if you want to preserve full paths, and
add a brief comment next to the VFS_PATH_MAX macro documenting the truncation
behavior and reasoning; reference the VFS_PATH_MAX macro and the call sites that
use bpf_probe_read_user_str to implement the detection and flagging.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/in_ebpf/traces/vfs/bpf.c`:
- Line 1: The SPDX header and the kernel-facing LICENSE string in the BPF file
are inconsistent (SPDX says "LGPL-2.1 OR BSD-2-Clause" while the kernel-facing
string declares "Dual BSD/GPL"); decide on the intended license and make both
declarations match across this file and all BPF files: update the SPDX
identifier at the top to the chosen SPDX expression and update the kernel-facing
license string (the BPF module's LICENSE string constant, e.g., the "LICENSE"
char[] used by the BPF program) to the equivalent kernel-facing wording (e.g.,
"GPL" or "Dual BSD/GPL") so they are consistent. Ensure you apply the same
change to every BPF source file in the project.

---

Nitpick comments:
In `@plugins/in_ebpf/traces/includes/common/events.h`:
- Line 8: VFS_PATH_MAX is set to 256 which will cause long user paths to be
truncated when read with bpf_probe_read_user_str; update the implementation that
reads paths (calls to bpf_probe_read_user_str) to detect truncation by checking
the returned length and set a truncation indicator in the event (add or reuse a
flag/field in the event struct) or increase VFS_PATH_MAX if you want to preserve
full paths, and add a brief comment next to the VFS_PATH_MAX macro documenting
the truncation behavior and reasoning; reference the VFS_PATH_MAX macro and the
call sites that use bpf_probe_read_user_str to implement the detection and
flagging.

In `@plugins/in_ebpf/traces/vfs/handler.c`:
- Around line 10-12: The parameter `ins` in the function `encode_vfs_event` is
unused; either remove `ins` from the function signature and update all
declarations/call sites (prototypes and callers of `encode_vfs_event`) to match,
or use it for diagnostic logging (e.g., call `flb_plg_debug(ins, ...)` inside
`encode_vfs_event`) and keep the parameter; ensure the chosen approach keeps
function prototypes in headers and callers consistent and rebuilds without
unused-parameter warnings.
- Around line 27-36: Replace the integer encoding of the VFS operation with a
human-readable string: add a helper function (e.g., vfs_op_to_string(enum vfs_op
op)) that maps enum values (use cases like VFS_OP_OPENAT) to strings, then call
flb_log_event_encoder_append_body_cstring(log_encoder,
vfs_op_to_string(ev->details.vfs.operation)) instead of
flb_log_event_encoder_append_body_int32; preserve the existing error handling by
checking the return for FLB_EVENT_ENCODER_SUCCESS and calling
flb_log_event_encoder_rollback_record(log_encoder) and returning -1 on failure.
- Around line 101-106: The handler currently casts void *ctx to struct
trace_event_context in trace_vfs_handler, relying on flb_in_ebpf_context and
trace_event_context having matching first-field layout (ins, log_encoder) which
is fragile; change the callback API or add a small, type-safe wrapper that
accepts the real flb_in_ebpf_context* and extracts/forwards a properly built
struct trace_event_context (or provides accessor functions for log_encoder) so
handlers (trace_vfs_handler and the other handlers: signal, malloc, bind) no
longer perform unsafe casts; update handler registrations to call the new
wrapper/adapter so code uses explicit types instead of relying on struct field
ordering.

In `@plugins/in_ebpf/traces/vfs/handler.h`:
- Around line 1-12: The header declares encode_vfs_event with parameters using
struct flb_input_instance and struct flb_log_event_encoder but does not
forward-declare them or include their headers; add forward declarations for
"struct flb_input_instance;" and "struct flb_log_event_encoder;" near the top of
this header (before the prototype for encode_vfs_event) so the declarations of
trace_vfs_handler and encode_vfs_event compile when this header is included
independently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7c94e461-090b-4b89-af70-3048b1e612b3

📥 Commits

Reviewing files that changed from the base of the PR and between 81eb49f and d758d42.

📒 Files selected for processing (7)

• plugins/in_ebpf/in_ebpf.c
• plugins/in_ebpf/traces/includes/common/encoder.h
• plugins/in_ebpf/traces/includes/common/events.h
• plugins/in_ebpf/traces/traces.h
• plugins/in_ebpf/traces/vfs/bpf.c
• plugins/in_ebpf/traces/vfs/handler.c
• plugins/in_ebpf/traces/vfs/handler.h