1*387f9dfdSAndroid Build Coastguard Worker#!/usr/bin/python3 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Workerimport sys 4*387f9dfdSAndroid Build Coastguard Workerimport time 5*387f9dfdSAndroid Build Coastguard Worker 6*387f9dfdSAndroid Build Coastguard Workerfrom bcc import BPF 7*387f9dfdSAndroid Build Coastguard Worker 8*387f9dfdSAndroid Build Coastguard Workersrc = r""" 9*387f9dfdSAndroid Build Coastguard WorkerBPF_RINGBUF_OUTPUT(buffer, 1 << 4); 10*387f9dfdSAndroid Build Coastguard Worker 11*387f9dfdSAndroid Build Coastguard Workerstruct event { 12*387f9dfdSAndroid Build Coastguard Worker char filename[64]; 13*387f9dfdSAndroid Build Coastguard Worker int dfd; 14*387f9dfdSAndroid Build Coastguard Worker int flags; 15*387f9dfdSAndroid Build Coastguard Worker int mode; 16*387f9dfdSAndroid Build Coastguard Worker}; 17*387f9dfdSAndroid Build Coastguard Worker 18*387f9dfdSAndroid Build Coastguard WorkerTRACEPOINT_PROBE(syscalls, sys_enter_openat) { 19*387f9dfdSAndroid Build Coastguard Worker int zero = 0; 20*387f9dfdSAndroid Build Coastguard Worker 21*387f9dfdSAndroid Build Coastguard Worker struct event *event = buffer.ringbuf_reserve(sizeof(struct event)); 22*387f9dfdSAndroid Build Coastguard Worker if (!event) { 23*387f9dfdSAndroid Build Coastguard Worker return 1; 24*387f9dfdSAndroid Build Coastguard Worker } 25*387f9dfdSAndroid Build Coastguard Worker 26*387f9dfdSAndroid Build Coastguard Worker bpf_probe_read_user_str(event->filename, sizeof(event->filename), args->filename); 27*387f9dfdSAndroid Build Coastguard Worker 28*387f9dfdSAndroid Build Coastguard Worker event->dfd = args->dfd; 29*387f9dfdSAndroid Build Coastguard Worker event->flags = args->flags; 30*387f9dfdSAndroid Build Coastguard Worker event->mode = args->mode; 31*387f9dfdSAndroid Build Coastguard Worker 32*387f9dfdSAndroid Build Coastguard Worker buffer.ringbuf_submit(event, 0); 33*387f9dfdSAndroid Build Coastguard Worker // or, to discard: buffer.ringbuf_discard(event, 0); 34*387f9dfdSAndroid Build Coastguard Worker 35*387f9dfdSAndroid Build Coastguard Worker return 0; 36*387f9dfdSAndroid Build Coastguard Worker} 37*387f9dfdSAndroid Build Coastguard Worker""" 38*387f9dfdSAndroid Build Coastguard Worker 39*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=src) 40*387f9dfdSAndroid Build Coastguard Worker 41*387f9dfdSAndroid Build Coastguard Workerdef callback(ctx, data, size): 42*387f9dfdSAndroid Build Coastguard Worker event = b['buffer'].event(data) 43*387f9dfdSAndroid Build Coastguard Worker print("%-64s %10d %10d %10d" % (event.filename.decode('utf-8'), event.dfd, event.flags, event.mode)) 44*387f9dfdSAndroid Build Coastguard Worker 45*387f9dfdSAndroid Build Coastguard Workerb['buffer'].open_ring_buffer(callback) 46*387f9dfdSAndroid Build Coastguard Worker 47*387f9dfdSAndroid Build Coastguard Workerprint("Printing openat() calls, ctrl-c to exit.") 48*387f9dfdSAndroid Build Coastguard Worker 49*387f9dfdSAndroid Build Coastguard Workerprint("%-64s %10s %10s %10s" % ("FILENAME", "DIR_FD", "FLAGS", "MODE")) 50*387f9dfdSAndroid Build Coastguard Worker 51*387f9dfdSAndroid Build Coastguard Workertry: 52*387f9dfdSAndroid Build Coastguard Worker while 1: 53*387f9dfdSAndroid Build Coastguard Worker b.ring_buffer_consume() 54*387f9dfdSAndroid Build Coastguard Worker time.sleep(0.5) 55*387f9dfdSAndroid Build Coastguard Workerexcept KeyboardInterrupt: 56*387f9dfdSAndroid Build Coastguard Worker sys.exit() 57