0001
0002
0003
0004 #include <uapi/linux/bpf.h>
0005 #include <bpf/bpf_helpers.h>
0006
0007 struct syscalls_enter_open_args {
0008 unsigned long long unused;
0009 long syscall_nr;
0010 long filename_ptr;
0011 long flags;
0012 long mode;
0013 };
0014
0015 struct syscalls_exit_open_args {
0016 unsigned long long unused;
0017 long syscall_nr;
0018 long ret;
0019 };
0020
0021 struct {
0022 __uint(type, BPF_MAP_TYPE_ARRAY);
0023 __type(key, u32);
0024 __type(value, u32);
0025 __uint(max_entries, 1);
0026 } enter_open_map SEC(".maps");
0027
0028 struct {
0029 __uint(type, BPF_MAP_TYPE_ARRAY);
0030 __type(key, u32);
0031 __type(value, u32);
0032 __uint(max_entries, 1);
0033 } exit_open_map SEC(".maps");
0034
0035 static __always_inline void count(void *map)
0036 {
0037 u32 key = 0;
0038 u32 *value, init_val = 1;
0039
0040 value = bpf_map_lookup_elem(map, &key);
0041 if (value)
0042 *value += 1;
0043 else
0044 bpf_map_update_elem(map, &key, &init_val, BPF_NOEXIST);
0045 }
0046
0047 SEC("tracepoint/syscalls/sys_enter_open")
0048 int trace_enter_open(struct syscalls_enter_open_args *ctx)
0049 {
0050 count(&enter_open_map);
0051 return 0;
0052 }
0053
0054 SEC("tracepoint/syscalls/sys_enter_openat")
0055 int trace_enter_open_at(struct syscalls_enter_open_args *ctx)
0056 {
0057 count(&enter_open_map);
0058 return 0;
0059 }
0060
0061 SEC("tracepoint/syscalls/sys_exit_open")
0062 int trace_enter_exit(struct syscalls_exit_open_args *ctx)
0063 {
0064 count(&exit_open_map);
0065 return 0;
0066 }
0067
0068 SEC("tracepoint/syscalls/sys_exit_openat")
0069 int trace_enter_exit_at(struct syscalls_exit_open_args *ctx)
0070 {
0071 count(&exit_open_map);
0072 return 0;
0073 }
