1#!/usr/bin/python3 2 3import sys 4import time 5 6from bcc import BPF 7 8src = r""" 9BPF_RINGBUF_OUTPUT(buffer, 1 << 4); 10 11struct event { 12 char filename[16]; 13 int dfd; 14 int flags; 15 int mode; 16}; 17 18TRACEPOINT_PROBE(syscalls, sys_enter_openat) { 19 int zero = 0; 20 21 struct event event = {}; 22 23 bpf_probe_read_user_str(event.filename, sizeof(event.filename), args->filename); 24 25 event.dfd = args->dfd; 26 event.flags = args->flags; 27 event.mode = args->mode; 28 29 buffer.ringbuf_output(&event, sizeof(event), 0); 30 31 return 0; 32} 33""" 34 35b = BPF(text=src) 36 37def callback(ctx, data, size): 38 event = b['buffer'].event(data) 39 print("%-16s %10d %10d %10d" % (event.filename.decode('utf-8'), event.dfd, event.flags, event.mode)) 40 41b['buffer'].open_ring_buffer(callback) 42 43print("Printing openat() calls, ctrl-c to exit.") 44 45print("%-16s %10s %10s %10s" % ("FILENAME", "DIR_FD", "FLAGS", "MODE")) 46 47try: 48 while 1: 49 b.ring_buffer_poll() 50 # or b.ring_buffer_consume() 51 time.sleep(0.5) 52except KeyboardInterrupt: 53 sys.exit() 54