1 #include <uapi/linux/bpf.h> 2 #include <bpf/bpf_helpers.h> 3 #include "syscall_tp.h" 4 5 struct { 6 __uint(type, BPF_MAP_TYPE_RINGBUF); 7 __uint(max_entries, 256 * 1024); 8 } opens SEC(".maps"); 9 10 11 struct syscalls_enter_open_args { 12 unsigned long long unused; 13 long syscall_nr; 14 long filename_ptr; 15 long flags; 16 long mode; 17 }; 18 19 20 SEC("tracepoint/syscalls/sys_enter_openat") trace_enter_open_at(struct syscalls_enter_open_args * ctx)21int trace_enter_open_at(struct syscalls_enter_open_args *ctx) 22 { 23 struct open_event *event; 24 event = bpf_ringbuf_reserve(&opens, sizeof(*event), 0); 25 bpf_printk("open at event \n"); 26 if (!event) return 0; 27 event->pid = bpf_get_current_pid_tgid() >> 32; 28 bpf_probe_read_user_str(event->fname, sizeof(event->fname), (void*)(ctx->filename_ptr)); 29 bpf_ringbuf_submit(event, 0); 30 return 0; 31 } 32 33 34 char _license[] SEC("license") = "GPL"; 35