1
2
3
4
5
6
7#include <uapi/linux/bpf.h>
8#include "bpf_helpers.h"
9
10struct syscalls_enter_open_args {
11 unsigned long long unused;
12 long syscall_nr;
13 long filename_ptr;
14 long flags;
15 long mode;
16};
17
18struct syscalls_exit_open_args {
19 unsigned long long unused;
20 long syscall_nr;
21 long ret;
22};
23
24struct bpf_map_def SEC("maps") enter_open_map = {
25 .type = BPF_MAP_TYPE_ARRAY,
26 .key_size = sizeof(u32),
27 .value_size = sizeof(u32),
28 .max_entries = 1,
29};
30
31struct bpf_map_def SEC("maps") exit_open_map = {
32 .type = BPF_MAP_TYPE_ARRAY,
33 .key_size = sizeof(u32),
34 .value_size = sizeof(u32),
35 .max_entries = 1,
36};
37
38static __always_inline void count(void *map)
39{
40 u32 key = 0;
41 u32 *value, init_val = 1;
42
43 value = bpf_map_lookup_elem(map, &key);
44 if (value)
45 *value += 1;
46 else
47 bpf_map_update_elem(map, &key, &init_val, BPF_NOEXIST);
48}
49
50SEC("tracepoint/syscalls/sys_enter_open")
51int trace_enter_open(struct syscalls_enter_open_args *ctx)
52{
53 count((void *)&enter_open_map);
54 return 0;
55}
56
57SEC("tracepoint/syscalls/sys_exit_open")
58int trace_enter_exit(struct syscalls_exit_open_args *ctx)
59{
60 count((void *)&exit_open_map);
61 return 0;
62}
63