linux/samples/bpf/syscall_tp_kern.c
<<
>>
Prefs 
   1/* Copyright (c) 2017 Facebook
   2 *
   3 * This program is free software; you can redistribute it and/or
   4 * modify it under the terms of version 2 of the GNU General Public
   5 * License as published by the Free Software Foundation.
   6 */
   7#include <uapi/linux/bpf.h>
   8#include "bpf_helpers.h"
   9
  10struct syscalls_enter_open_args {
  11        unsigned long long unused;
  12        long syscall_nr;
  13        long filename_ptr;
  14        long flags;
  15        long mode;
  16};
  17
  18struct syscalls_exit_open_args {
  19        unsigned long long unused;
  20        long syscall_nr;
  21        long ret;
  22};
  23
  24struct bpf_map_def SEC("maps") enter_open_map = {
  25        .type = BPF_MAP_TYPE_ARRAY,
  26        .key_size = sizeof(u32),
  27        .value_size = sizeof(u32),
  28        .max_entries = 1,
  29};
  30
  31struct bpf_map_def SEC("maps") exit_open_map = {
  32        .type = BPF_MAP_TYPE_ARRAY,
  33        .key_size = sizeof(u32),
  34        .value_size = sizeof(u32),
  35        .max_entries = 1,
  36};
  37
  38static __always_inline void count(void *map)
  39{
  40        u32 key = 0;
  41        u32 *value, init_val = 1;
  42
  43        value = bpf_map_lookup_elem(map, &key);
  44        if (value)
  45                *value += 1;
  46        else
  47                bpf_map_update_elem(map, &key, &init_val, BPF_NOEXIST);
  48}
  49
  50SEC("tracepoint/syscalls/sys_enter_open")
  51int trace_enter_open(struct syscalls_enter_open_args *ctx)
  52{
  53        count((void *)&enter_open_map);
  54        return 0;
  55}
  56
  57SEC("tracepoint/syscalls/sys_exit_open")
  58int trace_enter_exit(struct syscalls_exit_open_args *ctx)
  59{
  60        count((void *)&exit_open_map);
  61        return 0;
  62}
  63
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.