syscall_tp_kern.c (1433B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* Copyright (c) 2017 Facebook 3 */ 4#include <uapi/linux/bpf.h> 5#include <bpf/bpf_helpers.h> 6 7struct syscalls_enter_open_args { 8 unsigned long long unused; 9 long syscall_nr; 10 long filename_ptr; 11 long flags; 12 long mode; 13}; 14 15struct syscalls_exit_open_args { 16 unsigned long long unused; 17 long syscall_nr; 18 long ret; 19}; 20 21struct { 22 __uint(type, BPF_MAP_TYPE_ARRAY); 23 __type(key, u32); 24 __type(value, u32); 25 __uint(max_entries, 1); 26} enter_open_map SEC(".maps"); 27 28struct { 29 __uint(type, BPF_MAP_TYPE_ARRAY); 30 __type(key, u32); 31 __type(value, u32); 32 __uint(max_entries, 1); 33} exit_open_map SEC(".maps"); 34 35static __always_inline void count(void *map) 36{ 37 u32 key = 0; 38 u32 *value, init_val = 1; 39 40 value = bpf_map_lookup_elem(map, &key); 41 if (value) 42 *value += 1; 43 else 44 bpf_map_update_elem(map, &key, &init_val, BPF_NOEXIST); 45} 46 47SEC("tracepoint/syscalls/sys_enter_open") 48int trace_enter_open(struct syscalls_enter_open_args *ctx) 49{ 50 count(&enter_open_map); 51 return 0; 52} 53 54SEC("tracepoint/syscalls/sys_enter_openat") 55int trace_enter_open_at(struct syscalls_enter_open_args *ctx) 56{ 57 count(&enter_open_map); 58 return 0; 59} 60 61SEC("tracepoint/syscalls/sys_exit_open") 62int trace_enter_exit(struct syscalls_exit_open_args *ctx) 63{ 64 count(&exit_open_map); 65 return 0; 66} 67 68SEC("tracepoint/syscalls/sys_exit_openat") 69int trace_enter_exit_at(struct syscalls_exit_open_args *ctx) 70{ 71 count(&exit_open_map); 72 return 0; 73}