diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-08 10:31:19 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-08 10:31:19 +0200 |
| commit | a79ea00c0e1b432c7364e2e4c1aa43d874374759 (patch) | |
| tree | 00057f68d6f75558346521019fd33047b85e7ddb /main.bpf.c | |
| parent | c7972bcaccecba8f06cd1a594e2a1267d31f735c (diff) | |
can trace openat exit
Diffstat (limited to 'main.bpf.c')
| -rw-r--r-- | main.bpf.c | 21 |
1 files changed, 15 insertions, 6 deletions
@@ -1,6 +1,6 @@ //+build ignore -#include <vmlinux.h> +#include "vmlinux.h" #include <bpf/bpf_helpers.h> @@ -16,18 +16,27 @@ struct { __uint(max_entries, 1 << 24); } tester SEC(".maps"); +struct openat_event { + int fd; + u32 tid; + char filename[256]; + char comm[16]; +}; + struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); __uint(key_size, sizeof(u32)); __uint(value_size, sizeof(u32)); } events SEC(".maps"); -SEC("kprobe/sys_mmap") -int kprobe__sys_mmap(struct pt_regs *ctx) -{ - char *foo = "foo"; - bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, foo, sizeof(char) * 3); +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_openat(struct trace_event_raw_sys_exit *args) { + struct openat_event event = {}; + event.fd = args->ret; + event.tid = bpf_get_current_pid_tgid(); + bpf_get_current_comm(&event.comm, sizeof(event.comm)); + bpf_perf_event_output(args, &events, BPF_F_CURRENT_CPU, &event, sizeof(event)); return 0; } |