clang-format fixes

GPL/Events/File/Probe.bpf.c

@@ -218,7 +218,10 @@ int BPF_KPROBE(kprobe__vfs_unlink)
 
 // prepare a file event and send it to ringbuf.
 // if path_prefix is non-NULL then event will only be sent to ringbuf if file path has that prefix
-static void prepare_and_send_file_event(struct file *f, enum ebpf_event_type type, const char *path_prefix, int path_prefix_len)
+static void prepare_and_send_file_event(struct file *f,
+                                        enum ebpf_event_type type,
+                                        const char *path_prefix,
+                                        int path_prefix_len)
 {
     struct ebpf_file_create_event *event = get_event_buffer();
     if (!event)
@@ -287,13 +290,12 @@ static int do_filp_open__exit(struct file *f)
         prepare_and_send_file_event(f, EBPF_EVENT_FILE_CREATE, NULL, 0);
     } else {
         // check if memfd file is being opened
-        struct path p            = BPF_CORE_READ(f, f_path);
-        struct dentry *curr_dentry =  BPF_CORE_READ(&p, dentry);
-        struct qstr component = BPF_CORE_READ(curr_dentry, d_name);
-        char buf_filename[8] = {0};
-        int ret = bpf_probe_read_kernel_str(buf_filename,
-                                            sizeof(MEMFD_STRING),
-                                            (void *)component.name);
+        struct path p              = BPF_CORE_READ(f, f_path);
+        struct dentry *curr_dentry = BPF_CORE_READ(&p, dentry);
+        struct qstr component      = BPF_CORE_READ(curr_dentry, d_name);
+        char buf_filename[8]       = {0};
+        int ret =
+            bpf_probe_read_kernel_str(buf_filename, sizeof(MEMFD_STRING), (void *)component.name);
         if (ret <= 0) {
             bpf_printk("could not read d_name at %p\n", component.name);
             goto out;
@@ -307,24 +309,22 @@ static int do_filp_open__exit(struct file *f)
         }
 
         struct vfsmount *curr_vfsmount = BPF_CORE_READ(&p, mnt);
-        const char *fs_type_name = BPF_CORE_READ(curr_vfsmount, mnt_sb, s_type, name);
+        const char *fs_type_name       = BPF_CORE_READ(curr_vfsmount, mnt_sb, s_type, name);
 
         // check if /dev/shm shared memory file is being opened
         // first check if fs is tmpfs
         char buf_fsname[8] = {0};
-        ret = bpf_probe_read_kernel_str(buf_fsname,
-                                        sizeof(TMPFS_STRING),
-                                        (void *)fs_type_name);
+        ret = bpf_probe_read_kernel_str(buf_fsname, sizeof(TMPFS_STRING), (void *)fs_type_name);
         if (ret <= 0) {
             bpf_printk("could not read fsname at %p\n", fs_type_name);
             goto out;
         }
 
         int is_tmpfs = is_equal_prefix(buf_fsname, TMPFS_STRING, sizeof(TMPFS_STRING) - 1);
-        if (is_tmpfs)
-        {
+        if (is_tmpfs) {
             // now filter for /dev/shm prefix, if there is match - send an SHMEM file open event
-            prepare_and_send_file_event(f, EBPF_EVENT_FILE_SHMEM_OPEN, DEVSHM_STRING, sizeof(DEVSHM_STRING) - 1);
+            prepare_and_send_file_event(f, EBPF_EVENT_FILE_SHMEM_OPEN, DEVSHM_STRING,
+                                        sizeof(DEVSHM_STRING) - 1);
         }
     }
 

GPL/Events/Helpers.h

@@ -14,8 +14,8 @@
 
 const volatile int consumer_pid = 0;
 
-#define MEMFD_STRING  "memfd:"
-#define TMPFS_STRING  "tmpfs"
+#define MEMFD_STRING "memfd:"
+#define TMPFS_STRING "tmpfs"
 #define DEVSHM_STRING "/dev/shm"
 
 #if BPF_DEBUG_TRACE == 0

GPL/Events/Process/Probe.bpf.c

@@ -99,25 +99,23 @@ int BPF_PROG(sched_process_exec,
     ebpf_ctty__fill(&event->ctty, task);
 
     if (!binprm)
-      return 0;
+        return 0;
 
     // set setuid and setgid flags
-    struct file *f = BPF_CORE_READ(binprm, file);
+    struct file *f        = BPF_CORE_READ(binprm, file);
     struct inode *f_inode = BPF_CORE_READ(f, f_inode);
-    event->is_setuid = (BPF_CORE_READ(f_inode, i_mode) & S_ISUID) ? true : false;
-    event->is_setgid = (BPF_CORE_READ(f_inode, i_mode) & S_ISGID) ? true : false;
+    event->is_setuid      = (BPF_CORE_READ(f_inode, i_mode) & S_ISUID) ? true : false;
+    event->is_setgid      = (BPF_CORE_READ(f_inode, i_mode) & S_ISGID) ? true : false;
 
     // set inode link count (0 means anonymous or deleted file)
     event->inode_nlink = BPF_CORE_READ(f_inode, i_nlink);
 
     // check if memfd file is being exec'd
-    struct path p            = BPF_CORE_READ(binprm, file, f_path);
-    struct dentry *curr_dentry =  BPF_CORE_READ(&p, dentry);
-    struct qstr component = BPF_CORE_READ(curr_dentry, d_name);
-    char buf_filename[8] = {0};
-    int ret = bpf_probe_read_kernel_str(buf_filename,
-                                        sizeof(MEMFD_STRING),
-                                        (void *)component.name);
+    struct path p              = BPF_CORE_READ(binprm, file, f_path);
+    struct dentry *curr_dentry = BPF_CORE_READ(&p, dentry);
+    struct qstr component      = BPF_CORE_READ(curr_dentry, d_name);
+    char buf_filename[8]       = {0};
+    int ret = bpf_probe_read_kernel_str(buf_filename, sizeof(MEMFD_STRING), (void *)component.name);
     if (ret <= 0) {
         bpf_printk("could not read d_name at %p\n", component.name);
         goto out;
@@ -271,7 +269,7 @@ int BPF_PROG(module_load, struct module *mod)
 
     ebpf_pid_info__fill(&event->pids, task);
 
-    pid_t ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid);
+    pid_t ppid      = BPF_CORE_READ(task, group_leader, real_parent, tgid);
     pid_t curr_tgid = BPF_CORE_READ(task, tgid);
 
     // ignore if process is child of init/systemd/whatever
@@ -283,8 +281,8 @@ int BPF_PROG(module_load, struct module *mod)
     struct ebpf_varlen_field *field;
     long size;
 
-    // from include/linux/moduleparam.h
-    #define MAX_PARAM_PREFIX_LEN (64 - sizeof(unsigned long))
+// from include/linux/moduleparam.h
+#define MAX_PARAM_PREFIX_LEN (64 - sizeof(unsigned long))
 
     // mod name
     field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_FILENAME);
@@ -308,15 +306,19 @@ int BPF_PROG(module_load, struct module *mod)
 }
 
 SEC("kprobe/ptrace_attach")
-int BPF_KPROBE(kprobe__ptrace_attach, struct task_struct *child, long request, unsigned long addr, unsigned long flags)
+int BPF_KPROBE(kprobe__ptrace_attach,
+               struct task_struct *child,
+               long request,
+               unsigned long addr,
+               unsigned long flags)
 {
     if (ebpf_events_is_trusted_pid())
         goto out;
 
     struct task_struct *task = (struct task_struct *)bpf_get_current_task();
-    pid_t curr_tgid = BPF_CORE_READ(task, tgid);
-    pid_t child_ppid = BPF_CORE_READ(child, group_leader, real_parent, tgid);
-    pid_t child_tgid = BPF_CORE_READ(child, tgid);
+    pid_t curr_tgid          = BPF_CORE_READ(task, tgid);
+    pid_t child_ppid         = BPF_CORE_READ(child, group_leader, real_parent, tgid);
+    pid_t child_tgid         = BPF_CORE_READ(child, tgid);
 
     if (is_kernel_thread(task))
         goto out;
@@ -338,7 +340,7 @@ int BPF_KPROBE(kprobe__ptrace_attach, struct task_struct *child, long request, u
     ebpf_pid_info__fill(&event->pids, task);
 
     event->child_pid = child_tgid;
-    event->request = request;
+    event->request   = request;
 
     bpf_ringbuf_submit(event, 0);
 
@@ -377,8 +379,8 @@ int tracepoint_syscalls_sys_enter_shmget(struct trace_event_raw_sys_enter *ctx)
     event->hdr.ts   = bpf_ktime_get_ns();
     ebpf_pid_info__fill(&event->pids, task);
 
-    event->key = ex_args->key;
-    event->size = ex_args->size;
+    event->key    = ex_args->key;
+    event->size   = ex_args->size;
     event->shmflg = ex_args->shmflg;
 
     bpf_ringbuf_submit(event, 0);
@@ -416,22 +418,22 @@ int tracepoint_syscalls_sys_enter_memfd_create(struct trace_event_raw_sys_enter
     event->hdr.type = EBPF_EVENT_PROCESS_MEMFD_CREATE;
     event->hdr.ts   = bpf_ktime_get_ns();
 
-    // from linux/memfd.h:
-    //
-    /* flags for memfd_create(2) (unsigned int) */
-    #define MFD_CLOEXEC         0x0001U
-    #define MFD_ALLOW_SEALING   0x0002U
-    #define MFD_HUGETLB         0x0004U
-    /* not executable and sealed to prevent changing to executable. */
-    #define MFD_NOEXEC_SEAL     0x0008U
-    /* executable */
-    #define MFD_EXEC            0x0010U
-    event->flags = ex_args->flags;
-    event->flag_cloexec = (event->flags & MFD_CLOEXEC) ? true : false;
-    event->flag_allow_seal = (event->flags & MFD_ALLOW_SEALING) ? true : false;
-    event->flag_hugetlb = (event->flags & MFD_HUGETLB) ? true : false;
+// from linux/memfd.h:
+//
+/* flags for memfd_create(2) (unsigned int) */
+#define MFD_CLOEXEC 0x0001U
+#define MFD_ALLOW_SEALING 0x0002U
+#define MFD_HUGETLB 0x0004U
+/* not executable and sealed to prevent changing to executable. */
+#define MFD_NOEXEC_SEAL 0x0008U
+/* executable */
+#define MFD_EXEC 0x0010U
+    event->flags            = ex_args->flags;
+    event->flag_cloexec     = (event->flags & MFD_CLOEXEC) ? true : false;
+    event->flag_allow_seal  = (event->flags & MFD_ALLOW_SEALING) ? true : false;
+    event->flag_hugetlb     = (event->flags & MFD_HUGETLB) ? true : false;
     event->flag_noexec_seal = (event->flags & MFD_NOEXEC_SEAL) ? true : false;
-    event->flag_exec = (event->flags & MFD_EXEC) ? true : false;
+    event->flag_exec        = (event->flags & MFD_EXEC) ? true : false;
 
     ebpf_pid_info__fill(&event->pids, task);
 
@@ -442,7 +444,7 @@ int tracepoint_syscalls_sys_enter_memfd_create(struct trace_event_raw_sys_enter
 
     // memfd filename
     field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_FILENAME);
-    size = bpf_probe_read_user_str(field->data, PATH_MAX, ex_args->uname);
+    size  = bpf_probe_read_user_str(field->data, PATH_MAX, ex_args->uname);
     if (size < 0)
         return 1;
     ebpf_vl_field__set_size(&event->vl_fields, field, size);

GPL/HostIsolation/TcFilter/BPFTcFilterTests.cpp

@@ -56,7 +56,7 @@ class BPFTcFilterTests : public ::testing::Test
         char *object_path_env    = getenv(OBJECT_PATH_ENV_VAR);
         int err                  = 0;
         m_obj                    = object_path_env == NULL ? bpf_object__open(DEFAULT_OBJECT_PATH)
-                                                           : bpf_object__open(object_path_env);
+                                        : bpf_object__open(object_path_env);
 
         if (libbpf_get_error(m_obj)) {
             FAIL() << "Cannot open ELF object to test, you can pass a custom one with the "

non-GPL/Events/EventsTrace/EventsTrace.c

@@ -29,9 +29,11 @@ const char argp_program_doc[] =
     "\n"
     "Prints process, network and file events sourced from the Elastic ebpf events library\n"
     "\n"
-    "USAGE: ./EventsTrace [--all|-a] [--file-delete] [--file-create] [--file-rename] [--file-memfd-open] [--file-shmem-open] [--file-modify]\n"
+    "USAGE: ./EventsTrace [--all|-a] [--file-delete] [--file-create] [--file-rename] "
+    "[--file-memfd-open] [--file-shmem-open] [--file-modify]\n"
     "[--process-fork] [--process-exec] [--process-exit] [--process-setsid] [--process-setuid] "
-    "[--process-setgid] [--process-tty-write] [--process-memfd_create] [--process-shmget] [--process-ptrace] [--process-load_module]\n"
+    "[--process-setgid] [--process-tty-write] [--process-memfd_create] [--process-shmget] "
+    "[--process-ptrace] [--process-load_module]\n"
     "[--net-conn-accept] [--net-conn-attempt] [--net-conn-closed]\n"
     "[--print-features-on-init] [--unbuffer-stdout] [--libbpf-verbose]\n";
 

non-GPL/HostIsolation/Lib/TcLoader.c

@@ -371,10 +371,10 @@ static int netlink_qdisc(int cmd, unsigned int flags, const char *ifname)
     int rv                            = -1;
     struct rtnetlink_handle qdisc_rth = {.fd = -1};
     struct netlink_msg qdisc_req      = {
-             .n.nlmsg_len   = NLMSG_LENGTH(sizeof(struct tcmsg)),
-             .n.nlmsg_flags = NLM_F_REQUEST | flags,
-             .n.nlmsg_type  = cmd,
-             .t.tcm_family  = AF_UNSPEC,
+        .n.nlmsg_len   = NLMSG_LENGTH(sizeof(struct tcmsg)),
+        .n.nlmsg_flags = NLM_F_REQUEST | flags,
+        .n.nlmsg_type  = cmd,
+        .t.tcm_family  = AF_UNSPEC,
     };
 
     if (!ifname) {