Loading...
1// SPDX-License-Identifier: GPL-2.0-only
2/* Copyright (c) 2017 Facebook
3 */
4#include <uapi/linux/bpf.h>
5#include <bpf/bpf_helpers.h>
6
7#if !defined(__aarch64__)
8struct syscalls_enter_open_args {
9 unsigned long long unused;
10 long syscall_nr;
11 long filename_ptr;
12 long flags;
13 long mode;
14};
15#endif
16
17struct syscalls_exit_open_args {
18 unsigned long long unused;
19 long syscall_nr;
20 long ret;
21};
22
23struct syscalls_enter_open_at_args {
24 unsigned long long unused;
25 long syscall_nr;
26 long long dfd;
27 long filename_ptr;
28 long flags;
29 long mode;
30};
31
32struct {
33 __uint(type, BPF_MAP_TYPE_ARRAY);
34 __type(key, u32);
35 __type(value, u32);
36 __uint(max_entries, 1);
37} enter_open_map SEC(".maps");
38
39struct {
40 __uint(type, BPF_MAP_TYPE_ARRAY);
41 __type(key, u32);
42 __type(value, u32);
43 __uint(max_entries, 1);
44} exit_open_map SEC(".maps");
45
46static __always_inline void count(void *map)
47{
48 u32 key = 0;
49 u32 *value, init_val = 1;
50
51 value = bpf_map_lookup_elem(map, &key);
52 if (value)
53 *value += 1;
54 else
55 bpf_map_update_elem(map, &key, &init_val, BPF_NOEXIST);
56}
57
58#if !defined(__aarch64__)
59SEC("tracepoint/syscalls/sys_enter_open")
60int trace_enter_open(struct syscalls_enter_open_args *ctx)
61{
62 count(&enter_open_map);
63 return 0;
64}
65#endif
66
67SEC("tracepoint/syscalls/sys_enter_openat")
68int trace_enter_open_at(struct syscalls_enter_open_at_args *ctx)
69{
70 count(&enter_open_map);
71 return 0;
72}
73
74SEC("tracepoint/syscalls/sys_enter_openat2")
75int trace_enter_open_at2(struct syscalls_enter_open_at_args *ctx)
76{
77 count(&enter_open_map);
78 return 0;
79}
80
81#if !defined(__aarch64__)
82SEC("tracepoint/syscalls/sys_exit_open")
83int trace_enter_exit(struct syscalls_exit_open_args *ctx)
84{
85 count(&exit_open_map);
86 return 0;
87}
88#endif
89
90SEC("tracepoint/syscalls/sys_exit_openat")
91int trace_enter_exit_at(struct syscalls_exit_open_args *ctx)
92{
93 count(&exit_open_map);
94 return 0;
95}
96
97SEC("tracepoint/syscalls/sys_exit_openat2")
98int trace_enter_exit_at2(struct syscalls_exit_open_args *ctx)
99{
100 count(&exit_open_map);
101 return 0;
102}
1/* Copyright (c) 2017 Facebook
2 *
3 * This program is free software; you can redistribute it and/or
4 * modify it under the terms of version 2 of the GNU General Public
5 * License as published by the Free Software Foundation.
6 */
7#include <uapi/linux/bpf.h>
8#include "bpf_helpers.h"
9
10struct syscalls_enter_open_args {
11 unsigned long long unused;
12 long syscall_nr;
13 long filename_ptr;
14 long flags;
15 long mode;
16};
17
18struct syscalls_exit_open_args {
19 unsigned long long unused;
20 long syscall_nr;
21 long ret;
22};
23
24struct bpf_map_def SEC("maps") enter_open_map = {
25 .type = BPF_MAP_TYPE_ARRAY,
26 .key_size = sizeof(u32),
27 .value_size = sizeof(u32),
28 .max_entries = 1,
29};
30
31struct bpf_map_def SEC("maps") exit_open_map = {
32 .type = BPF_MAP_TYPE_ARRAY,
33 .key_size = sizeof(u32),
34 .value_size = sizeof(u32),
35 .max_entries = 1,
36};
37
38static __always_inline void count(void *map)
39{
40 u32 key = 0;
41 u32 *value, init_val = 1;
42
43 value = bpf_map_lookup_elem(map, &key);
44 if (value)
45 *value += 1;
46 else
47 bpf_map_update_elem(map, &key, &init_val, BPF_NOEXIST);
48}
49
50SEC("tracepoint/syscalls/sys_enter_open")
51int trace_enter_open(struct syscalls_enter_open_args *ctx)
52{
53 count((void *)&enter_open_map);
54 return 0;
55}
56
57SEC("tracepoint/syscalls/sys_exit_open")
58int trace_enter_exit(struct syscalls_exit_open_args *ctx)
59{
60 count((void *)&exit_open_map);
61 return 0;
62}