#include #include #include struct val_t { u64 id; char comm[TASK_COMM_LEN]; const char *fname; int flags; // EXTENDED_STRUCT_MEMBER }; struct data_t { u64 id; u64 ts; u32 uid; int ret; char comm[TASK_COMM_LEN]; char fname[NAME_MAX]; int flags; // EXTENDED_STRUCT_MEMBER }; BPF_PERF_OUTPUT(events); BPF_HASH(infotmp, u64, struct val_t); int trace_return(struct pt_regs *ctx) { u64 id = bpf_get_current_pid_tgid(); struct val_t *valp; struct data_t data = {}; u64 tsp = bpf_ktime_get_ns(); valp = infotmp.lookup(&id); if (valp == 0) { // missed entry return 0; } bpf_probe_read_kernel(&data.comm, sizeof(data.comm), valp->comm); bpf_probe_read_user(&data.fname, sizeof(data.fname), (void *)valp->fname); data.id = valp->id; data.ts = tsp / 1000; data.uid = bpf_get_current_uid_gid(); data.flags = valp->flags; // EXTENDED_STRUCT_MEMBER data.ret = PT_REGS_RC(ctx); events.perf_submit(ctx, &data, sizeof(data)); infotmp.delete(&id); return 0; } int syscall__trace_entry_open(struct pt_regs *ctx, const char __user *filename, int flags) { struct val_t val = {}; u64 id = bpf_get_current_pid_tgid(); u32 pid = id >> 32; // PID is higher part u32 tid = id; // Cast and get the lower part u32 uid = bpf_get_current_uid_gid(); if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) { val.id = id; val.fname = filename; val.flags = flags; // EXTENDED_STRUCT_MEMBER infotmp.update(&id, &val); } return 0; }; int syscall__trace_entry_openat(struct pt_regs *ctx, int dfd, const char __user *filename, int flags) { struct val_t val = {}; u64 id = bpf_get_current_pid_tgid(); u32 pid = id >> 32; // PID is higher part u32 tid = id; // Cast and get the lower part u32 uid = bpf_get_current_uid_gid(); if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) { val.id = id; val.fname = filename; val.flags = flags; // EXTENDED_STRUCT_MEMBER infotmp.update(&id, &val); } return 0; }; #include int syscall__trace_entry_openat2(struct pt_regs *ctx, int dfd, const char __user *filename, struct open_how *how) { int flags = how->flags; struct val_t val = {}; u64 id = bpf_get_current_pid_tgid(); u32 pid = id >> 32; // PID is higher part u32 tid = id; // Cast and get the lower part u32 uid = bpf_get_current_uid_gid(); if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) { val.id = id; val.fname = filename; val.flags = flags; // EXTENDED_STRUCT_MEMBER infotmp.update(&id, &val); } return 0; };