Omar Sandoval | e822a81 | 2016-10-16 12:31:32 -0700 | [diff] [blame] | 1 | Demonstrations of mountsnoop. |
| 2 | |
| 3 | mountsnoop traces the mount() and umount syscalls system-wide. For example, |
| 4 | running the following series of commands produces this output: |
| 5 | |
| 6 | # mount --bind /mnt /mnt |
| 7 | # umount /mnt |
| 8 | # unshare -m |
| 9 | # mount --bind /mnt /mnt |
| 10 | # umount /mnt |
| 11 | |
| 12 | # ./mountsnoop.py |
| 13 | COMM PID TID MNT_NS CALL |
| 14 | mount 710 710 4026531840 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0 |
| 15 | umount 714 714 4026531840 umount("/mnt", 0x0) = 0 |
| 16 | unshare 717 717 4026532160 mount("none", "/", "", MS_REC|MS_PRIVATE, "") = 0 |
| 17 | mount 725 725 4026532160 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0 |
| 18 | umount 728 728 4026532160 umount("/mnt", 0x0) = 0 |
| 19 | |
Wen Yang | 2464501 | 2021-04-21 16:21:56 +0800 | [diff] [blame] | 20 | # ./mountsnoop.py -P |
| 21 | COMM PID TID PCOMM PPID MNT_NS CALL |
| 22 | mount 51526 51526 bash 49313 3222937920 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "", "") = 0 |
| 23 | umount 51613 51613 bash 49313 3222937920 umount("/mnt", 0x0) = 0 |
| 24 | |
Omar Sandoval | e822a81 | 2016-10-16 12:31:32 -0700 | [diff] [blame] | 25 | The output shows the calling command, its process ID and thread ID, the mount |
| 26 | namespace the call was made in, and the call itself. |
| 27 | |
| 28 | The mount namespace number is an inode number that uniquely identifies the |
| 29 | namespace in the running system. This can also be obtained from readlink |
| 30 | /proc/$PID/ns/mnt. |
| 31 | |
| 32 | Note that because of restrictions in BPF, the string arguments to either |
| 33 | syscall may be truncated. |