54 lines
1.0 KiB
Python
Executable File
54 lines
1.0 KiB
Python
Executable File
#!/usr/bin/python3
|
|
|
|
import sys
|
|
import time
|
|
|
|
from bcc import BPF
|
|
|
|
src = r"""
|
|
BPF_RINGBUF_OUTPUT(buffer, 1 << 4);
|
|
|
|
struct event {
|
|
char filename[16];
|
|
int dfd;
|
|
int flags;
|
|
int mode;
|
|
};
|
|
|
|
TRACEPOINT_PROBE(syscalls, sys_enter_openat) {
|
|
int zero = 0;
|
|
|
|
struct event event = {};
|
|
|
|
bpf_probe_read_user_str(event.filename, sizeof(event.filename), args->filename);
|
|
|
|
event.dfd = args->dfd;
|
|
event.flags = args->flags;
|
|
event.mode = args->mode;
|
|
|
|
buffer.ringbuf_output(&event, sizeof(event), 0);
|
|
|
|
return 0;
|
|
}
|
|
"""
|
|
|
|
b = BPF(text=src)
|
|
|
|
def callback(ctx, data, size):
|
|
event = b['buffer'].event(data)
|
|
print("%-16s %10d %10d %10d" % (event.filename.decode('utf-8'), event.dfd, event.flags, event.mode))
|
|
|
|
b['buffer'].open_ring_buffer(callback)
|
|
|
|
print("Printing openat() calls, ctrl-c to exit.")
|
|
|
|
print("%-16s %10s %10s %10s" % ("FILENAME", "DIR_FD", "FLAGS", "MODE"))
|
|
|
|
try:
|
|
while 1:
|
|
b.ring_buffer_poll()
|
|
# or b.ring_buffer_consume()
|
|
time.sleep(0.5)
|
|
except KeyboardInterrupt:
|
|
sys.exit()
|