[英]How to print the file path from an open syscall using ebpf python?
I use bpf from the python bcc module, and I want that my probe function will print the file path of the current file (kind of a custom simplified opensnoop).我使用 python bcc 模块中的 bpf,我希望我的探测函数将打印当前文件的文件路径(一种自定义的简化 opensnoop)。 How can I do that?
我怎样才能做到这一点?
This is what I have so far:这是我到目前为止:
b = BPF(text="""
#include <linux/ptrace.h>
#include<linux/sched.h>
BPF_HASH(last);
int trace_entry(struct pt_regs *ctx)
{
char fileName[200] = {0};
bpf_probe_read(fileName, sizeof(fileName), &PT_REGS_PARM1(ctx));
bpf_trace_printk("File Opened<%s>\\n", fileName);
return 0;
}
""")
print("Tracing for open... Ctrl-C to end")
b.attach_kprobe(event="do_sys_open", fn_name="trace_entry")
#b.attach_kprobe(event=b.get_syscall_fnname("open"), fn_name='funcky')
b.trace_print()
Easy:简单:
Insert this in kernel code:在内核代码中插入:
// Nicer way to call bpf_trace_printk()
#define bpf_custom_printk(fmt, ...) \
({ \
char ____fmt[] = fmt; \
bpf_trace_printk(____fmt, sizeof(____fmt), \
##__VA_ARGS__); \
})
struct pair {
uint32_t lip; // local IP
uint32_t rip; // remote IP
};
and in kernel code insert print out code.并在内核代码中插入打印输出代码。 This function call works exactly like
printf
with all format and placeholder ...此函数调用与具有所有格式和占位符的
printf
完全一样......
bpf_custom_printk("This year is %d\n", 2020);
Print output:打印输出:
sudo cat /sys/kernel/debug/tracing/trace_pipe
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.