1Demonstrations of mountsnoop. 2 3mountsnoop traces the mount() and umount syscalls system-wide. For example, 4running the following series of commands produces this output: 5 6# mount --bind /mnt /mnt 7# umount /mnt 8# unshare -m 9# mount --bind /mnt /mnt 10# umount /mnt 11 12# ./mountsnoop.py 13COMM PID TID MNT_NS CALL 14mount 710 710 4026531840 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0 15umount 714 714 4026531840 umount("/mnt", 0x0) = 0 16unshare 717 717 4026532160 mount("none", "/", "", MS_REC|MS_PRIVATE, "") = 0 17mount 725 725 4026532160 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0 18umount 728 728 4026532160 umount("/mnt", 0x0) = 0 19 20# ./mountsnoop.py -P 21COMM PID TID PCOMM PPID MNT_NS CALL 22mount 51526 51526 bash 49313 3222937920 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "", "") = 0 23umount 51613 51613 bash 49313 3222937920 umount("/mnt", 0x0) = 0 24 25The output shows the calling command, its process ID and thread ID, the mount 26namespace the call was made in, and the call itself. 27 28The mount namespace number is an inode number that uniquely identifies the 29namespace in the running system. This can also be obtained from readlink 30/proc/$PID/ns/mnt. 31 32Note that because of restrictions in BPF, the string arguments to either 33syscall may be truncated. 34