File tree Expand file tree Collapse file tree 3 files changed +118
-0
lines changed Expand file tree Collapse file tree 3 files changed +118
-0
lines changed Original file line number Diff line number Diff line change 1+ #!/usr/bin/python
2+ from bcc import BPF
3+
4+ prog = """
5+ #include <linux/sched.h>
6+
7+ int trace_syscall_open(struct pt_regs *ctx, const char __user *filename, int flags) {
8+ u32 pid = bpf_get_current_pid_tgid() >> 32;
9+ u32 uid = bpf_get_current_uid_gid();
10+
11+ char comm[TASK_COMM_LEN];
12+ bpf_get_current_comm(&comm, sizeof(comm));
13+
14+ bpf_trace_printk("%d [%s]\\ n", pid, filename);
15+ return 0;
16+ }
17+ """
18+
19+ b = BPF (text = prog )
20+ b .attach_kprobe (event = b .get_syscall_fnname ("open" ), fn_name = "trace_syscall_open" )
21+ try :
22+ b .trace_print ()
23+ except KeyboardInterrupt :
24+ exit ()
Original file line number Diff line number Diff line change 1+ #!/usr/bin/python
2+ from bcc import BPF
3+
4+ prog = """
5+ #include <uapi/linux/limits.h> // for NAME_MAX
6+
7+ // 1 define struct
8+ struct event_data_t {
9+ u32 pid;
10+ char fname[NAME_MAX]; // max of filename
11+ };
12+
13+ // 2. declare BPF_PERF_OUTPUT define
14+ BPF_PERF_OUTPUT(open_events);
15+
16+ int trace_syscall_open(struct pt_regs *ctx, const char __user *filename, int flags) {
17+ u32 pid = bpf_get_current_pid_tgid() >> 32;
18+
19+ // 3.1 define event data and fill data
20+ struct event_data_t evt = {};
21+
22+ evt.pid = pid;
23+ bpf_probe_read(&evt.fname, sizeof(evt.fname), (void *)filename);
24+
25+ // bpf_trace_printk("%d [%s]\\ n", pid, filename); =>
26+
27+ // 3.2 submit the event
28+ open_events.perf_submit(ctx, &evt, sizeof(evt));
29+
30+ return 0;
31+ }
32+ """
33+
34+ b = BPF (text = prog )
35+ b .attach_kprobe (event = b .get_syscall_fnname ("open" ), fn_name = "trace_syscall_open" )
36+
37+ # process event
38+ def print_event (cpu , data , size ):
39+ event = b ["open_events" ].event (data )
40+ print ("Rcv Event %d, %s" % (event .pid , event .fname ))
41+
42+ # loop with callback to print_event
43+ b ["open_events" ].open_perf_buffer (print_event )
44+ while True :
45+ try :
46+ b .perf_buffer_poll ()
47+ except KeyboardInterrupt :
48+ exit ()
Original file line number Diff line number Diff line change 1+ #!/usr/bin/python
2+ from bcc import BPF
3+ import argparse # +add
4+
5+ prog = """
6+ #include <linux/sched.h>
7+
8+ int trace_syscall_open(struct pt_regs *ctx, const char __user *filename, int flags) {
9+ u32 pid = bpf_get_current_pid_tgid() >> 32;
10+ u32 uid = bpf_get_current_uid_gid();
11+
12+ PID_FILTER // + add PID FILTER
13+ char comm[TASK_COMM_LEN];
14+ bpf_get_current_comm(&comm, sizeof(comm));
15+
16+ bpf_trace_printk("%d [%s]\\ n", pid, filename);
17+ return 0;
18+ }
19+ """
20+
21+ examples = """examples:
22+ ./open_pid -p 181 # only trace PID 181
23+ """
24+
25+ parser = argparse .ArgumentParser (
26+ description = "Trace open() syscalls" ,
27+ formatter_class = argparse .RawDescriptionHelpFormatter ,
28+ epilog = examples )
29+
30+ parser .add_argument ("-p" , "--pid" ,
31+ help = "trace this PID only" )
32+
33+ args = parser .parse_args ()
34+
35+ if args .pid :
36+ prog = prog .replace ('PID_FILTER' ,
37+ 'if (pid != %s) { return 0; }' % args .pid )
38+ else :
39+ prog = prog .replace ('PID_TID_FILTER' , '' )
40+
41+ b = BPF (text = prog )
42+ b .attach_kprobe (event = b .get_syscall_fnname ("open" ), fn_name = "trace_syscall_open" )
43+ try :
44+ b .trace_print ()
45+ except KeyboardInterrupt :
46+ exit ()
You can’t perform that action at this time.
0 commit comments