1 #include "vmlinux.h" 2 #include <bpf/bpf_helpers.h> 3 #include <bpf/bpf_tracing.h> 4 #include <bpf/bpf_core_read.h> 5 #include "openat.h" 6 7 struct { 8 __uint(type, BPF_MAP_TYPE_RINGBUF); 9 __uint(max_entries, 256 * 1024); 10 } opens SEC(".maps"); 11 12 13 struct syscalls_enter_open_args { 14 char bb[24]; 15 const char *filename; 16 }; 17 18 19 SEC("tp/syscalls/sys_enter_openat") 20 int trace_enter_open_at(struct syscalls_enter_open_args *ctx) 21 { 22 struct open_event *event; 23 event = bpf_ringbuf_reserve(&opens, sizeof(*event), 0); 24 // bpf_printk("open at event \n"); 25 if (!event) return 0; 26 event->pid = bpf_get_current_pid_tgid() >> 32; 27 bpf_probe_read_user_str(event->fname, sizeof(event->fname), (void*)(ctx->filename)); 28 bpf_ringbuf_submit(event, 0); 29 return 0; 30 } 31 32 33 char _license[] SEC("license") = "GPL"; 34