1#!/usr/bin/python3 2 3import sys 4import time 5 6from bcc import BPF 7 8src = r""" 9BPF_RINGBUF_OUTPUT(buffer, 1 << 4); 10 11struct event { 12 char filename[64]; 13 int dfd; 14 int flags; 15 int mode; 16}; 17 18TRACEPOINT_PROBE(syscalls, sys_enter_openat) { 19 int zero = 0; 20 21 struct event *event = buffer.ringbuf_reserve(sizeof(struct event)); 22 if (!event) { 23 return 1; 24 } 25 26 bpf_probe_read_user_str(event->filename, sizeof(event->filename), args->filename); 27 28 event->dfd = args->dfd; 29 event->flags = args->flags; 30 event->mode = args->mode; 31 32 buffer.ringbuf_submit(event, 0); 33 // or, to discard: buffer.ringbuf_discard(event, 0); 34 35 return 0; 36} 37""" 38 39b = BPF(text=src) 40 41def callback(ctx, data, size): 42 event = b['buffer'].event(data) 43 print("%-64s %10d %10d %10d" % (event.filename.decode('utf-8'), event.dfd, event.flags, event.mode)) 44 45b['buffer'].open_ring_buffer(callback) 46 47print("Printing openat() calls, ctrl-c to exit.") 48 49print("%-64s %10s %10s %10s" % ("FILENAME", "DIR_FD", "FLAGS", "MODE")) 50 51try: 52 while 1: 53 b.ring_buffer_consume() 54 time.sleep(0.5) 55except KeyboardInterrupt: 56 sys.exit() 57