1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
//+build ignore
#define TEMP_MAP_SIZES 1024 // Adjust size as needed
#define MAX_FILENAME_LENGTH 256
#define MAX_PROGNAME_LENGTH 16
struct open_event {
__s32 fd;
__s32 op_id;
__u32 tid;
__u64 enter_time;
__u64 exit_time;
char filename[MAX_FILENAME_LENGTH];
char comm[MAX_PROGNAME_LENGTH];
};
struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
__uint(key_size, sizeof(u32));
__uint(value_size, sizeof(u32));
} open_event_map SEC(".maps");
// Map to temporarily store the filename from sys_enter_openat
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(key_size, sizeof(u32));
__uint(value_size, sizeof(struct open_event));
__uint(max_entries, TEMP_MAP_SIZES);
} open_event_temp_map SEC(".maps");
struct fd_event {
__s32 fd;
__s32 op_id;
__u32 tid;
__u64 enter_time;
__u64 exit_time;
};
struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
__uint(key_size, sizeof(u32));
__uint(value_size, sizeof(u32));
} fd_event_map SEC(".maps");
// Map to temporarily store info from the enter tracepoinut for the exit one
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(key_size, sizeof(u32));
__uint(value_size, sizeof(struct fd_event));
__uint(max_entries, TEMP_MAP_SIZES);
} fd_event_temp_map SEC(".maps");
|
