1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of mountsnoop. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Workermountsnoop traces the mount() and umount syscalls system-wide. For example, 4*387f9dfdSAndroid Build Coastguard Workerrunning the following series of commands produces this output: 5*387f9dfdSAndroid Build Coastguard Worker 6*387f9dfdSAndroid Build Coastguard Worker# mount --bind /mnt /mnt 7*387f9dfdSAndroid Build Coastguard Worker# umount /mnt 8*387f9dfdSAndroid Build Coastguard Worker# unshare -m 9*387f9dfdSAndroid Build Coastguard Worker# mount --bind /mnt /mnt 10*387f9dfdSAndroid Build Coastguard Worker# umount /mnt 11*387f9dfdSAndroid Build Coastguard Worker 12*387f9dfdSAndroid Build Coastguard Worker# ./mountsnoop.py 13*387f9dfdSAndroid Build Coastguard WorkerCOMM PID TID MNT_NS CALL 14*387f9dfdSAndroid Build Coastguard Workermount 710 710 4026531840 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0 15*387f9dfdSAndroid Build Coastguard Workerumount 714 714 4026531840 umount("/mnt", 0x0) = 0 16*387f9dfdSAndroid Build Coastguard Workerunshare 717 717 4026532160 mount("none", "/", "", MS_REC|MS_PRIVATE, "") = 0 17*387f9dfdSAndroid Build Coastguard Workermount 725 725 4026532160 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0 18*387f9dfdSAndroid Build Coastguard Workerumount 728 728 4026532160 umount("/mnt", 0x0) = 0 19*387f9dfdSAndroid Build Coastguard Worker 20*387f9dfdSAndroid Build Coastguard Worker# ./mountsnoop.py -P 21*387f9dfdSAndroid Build Coastguard WorkerCOMM PID TID PCOMM PPID MNT_NS CALL 22*387f9dfdSAndroid Build Coastguard Workermount 51526 51526 bash 49313 3222937920 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "", "") = 0 23*387f9dfdSAndroid Build Coastguard Workerumount 51613 51613 bash 49313 3222937920 umount("/mnt", 0x0) = 0 24*387f9dfdSAndroid Build Coastguard Worker 25*387f9dfdSAndroid Build Coastguard WorkerThe output shows the calling command, its process ID and thread ID, the mount 26*387f9dfdSAndroid Build Coastguard Workernamespace the call was made in, and the call itself. 27*387f9dfdSAndroid Build Coastguard Worker 28*387f9dfdSAndroid Build Coastguard WorkerThe mount namespace number is an inode number that uniquely identifies the 29*387f9dfdSAndroid Build Coastguard Workernamespace in the running system. This can also be obtained from readlink 30*387f9dfdSAndroid Build Coastguard Worker/proc/$PID/ns/mnt. 31*387f9dfdSAndroid Build Coastguard Worker 32*387f9dfdSAndroid Build Coastguard WorkerNote that because of restrictions in BPF, the string arguments to either 33*387f9dfdSAndroid Build Coastguard Workersyscall may be truncated. 34