syscall_tp_kern.c 1.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /* Copyright (c) 2017 Facebook
  3. */
  4. #include <uapi/linux/bpf.h>
  5. #include <bpf/bpf_helpers.h>
  6. #if !defined(__aarch64__)
  7. struct syscalls_enter_open_args {
  8. unsigned long long unused;
  9. long syscall_nr;
  10. long filename_ptr;
  11. long flags;
  12. long mode;
  13. };
  14. #endif
  15. struct syscalls_exit_open_args {
  16. unsigned long long unused;
  17. long syscall_nr;
  18. long ret;
  19. };
  20. struct syscalls_enter_open_at_args {
  21. unsigned long long unused;
  22. long syscall_nr;
  23. long long dfd;
  24. long filename_ptr;
  25. long flags;
  26. long mode;
  27. };
  28. struct {
  29. __uint(type, BPF_MAP_TYPE_ARRAY);
  30. __type(key, u32);
  31. __type(value, u32);
  32. __uint(max_entries, 1);
  33. } enter_open_map SEC(".maps");
  34. struct {
  35. __uint(type, BPF_MAP_TYPE_ARRAY);
  36. __type(key, u32);
  37. __type(value, u32);
  38. __uint(max_entries, 1);
  39. } exit_open_map SEC(".maps");
  40. static __always_inline void count(void *map)
  41. {
  42. u32 key = 0;
  43. u32 *value, init_val = 1;
  44. value = bpf_map_lookup_elem(map, &key);
  45. if (value)
  46. *value += 1;
  47. else
  48. bpf_map_update_elem(map, &key, &init_val, BPF_NOEXIST);
  49. }
  50. #if !defined(__aarch64__)
  51. SEC("tracepoint/syscalls/sys_enter_open")
  52. int trace_enter_open(struct syscalls_enter_open_args *ctx)
  53. {
  54. count(&enter_open_map);
  55. return 0;
  56. }
  57. #endif
  58. SEC("tracepoint/syscalls/sys_enter_openat")
  59. int trace_enter_open_at(struct syscalls_enter_open_at_args *ctx)
  60. {
  61. count(&enter_open_map);
  62. return 0;
  63. }
  64. SEC("tracepoint/syscalls/sys_enter_openat2")
  65. int trace_enter_open_at2(struct syscalls_enter_open_at_args *ctx)
  66. {
  67. count(&enter_open_map);
  68. return 0;
  69. }
  70. #if !defined(__aarch64__)
  71. SEC("tracepoint/syscalls/sys_exit_open")
  72. int trace_enter_exit(struct syscalls_exit_open_args *ctx)
  73. {
  74. count(&exit_open_map);
  75. return 0;
  76. }
  77. #endif
  78. SEC("tracepoint/syscalls/sys_exit_openat")
  79. int trace_enter_exit_at(struct syscalls_exit_open_args *ctx)
  80. {
  81. count(&exit_open_map);
  82. return 0;
  83. }
  84. SEC("tracepoint/syscalls/sys_exit_openat2")
  85. int trace_enter_exit_at2(struct syscalls_exit_open_args *ctx)
  86. {
  87. count(&exit_open_map);
  88. return 0;
  89. }