| #!/usr/bin/python3 |
| |
| import sys |
| import time |
| |
| from bcc import BPF |
| |
| src = r""" |
| BPF_RINGBUF_OUTPUT(buffer, 1 << 4); |
| |
| struct event { |
| char filename[16]; |
| int dfd; |
| int flags; |
| int mode; |
| }; |
| |
| TRACEPOINT_PROBE(syscalls, sys_enter_openat) { |
| int zero = 0; |
| |
| struct event event = {}; |
| |
| bpf_probe_read_user_str(event.filename, sizeof(event.filename), args->filename); |
| |
| event.dfd = args->dfd; |
| event.flags = args->flags; |
| event.mode = args->mode; |
| |
| buffer.ringbuf_output(&event, sizeof(event), 0); |
| |
| return 0; |
| } |
| """ |
| |
| b = BPF(text=src) |
| |
| def callback(ctx, data, size): |
| event = b['buffer'].event(data) |
| print("%-16s %10d %10d %10d" % (event.filename.decode('utf-8'), event.dfd, event.flags, event.mode)) |
| |
| b['buffer'].open_ring_buffer(callback) |
| |
| print("Printing openat() calls, ctrl-c to exit.") |
| |
| print("%-16s %10s %10s %10s" % ("FILENAME", "DIR_FD", "FLAGS", "MODE")) |
| |
| try: |
| while 1: |
| b.ring_buffer_poll() |
| # or b.ring_buffer_consume() |
| time.sleep(0.5) |
| except KeyboardInterrupt: |
| sys.exit() |