def main():
parser = argparse.ArgumentParser(
description='trace mount() and umount() syscalls')
parser.add_argument("--ebpf", action="store_true", help=argparse.SUPPRESS)
parser.add_argument("-P",
"--parent_process",
action="store_true",
help="also snoop the parent process")
parser.add_argument("--cgroupmap",
help="trace cgroups in this BPF map only")
parser.add_argument("--mntnsmap",
help="trace mount namespaces in this BPF map only")
args = parser.parse_args()
mounts = {}
umounts = {}
global bpf_text
bpf_text = filter_by_containers(args) + bpf_text
if args.ebpf:
print(bpf_text)
exit()
b = bcc.BPF(text=bpf_text)
mount_fnname = b.get_syscall_fnname("mount")
b.attach_kprobe(event=mount_fnname, fn_name="syscall__mount")
b.attach_kretprobe(event=mount_fnname, fn_name="do_ret_sys_mount")
umount_fnname = b.get_syscall_fnname("umount")
b.attach_kprobe(event=umount_fnname, fn_name="syscall__umount")
b.attach_kretprobe(event=umount_fnname, fn_name="do_ret_sys_umount")
b['events'].open_perf_buffer(
functools.partial(print_event, mounts, umounts, args.parent_process))
if args.parent_process:
print('{:16} {:<7} {:<7} {:16} {:<7} {:<11} {}'.format(
'COMM', 'PID', 'TID', 'PCOMM', 'PPID', 'MNT_NS', 'CALL'))
else:
print('{:16} {:<7} {:<7} {:<11} {}'.format('COMM', 'PID', 'TID',
'MNT_NS', 'CALL'))
while True:
try:
b.perf_buffer_poll()
except KeyboardInterrupt:
exit()
if args.pid:
bpf_text = bpf_text.replace('FILTER_PID',
'if (pid != %s) { return 0; }' % args.pid)
if args.port:
sports = [int(sport) for sport in args.port.split(',')]
sports_if = ' && '.join(['sport != %d' % sport for sport in sports])
bpf_text = bpf_text.replace(
'FILTER_PORT',
'if (%s) { currsock.delete(&tid); return 0; }' % sports_if)
if args.uid:
bpf_text = bpf_text.replace('FILTER_UID',
'if (uid != %s) { return 0; }' % args.uid)
if args.errors:
bpf_text = bpf_text.replace('FILTER_ERRORS', 'ignore_errors = 0;')
bpf_text = filter_by_containers(args) + bpf_text
bpf_text = bpf_text.replace('FILTER_PID', '')
bpf_text = bpf_text.replace('FILTER_PORT', '')
bpf_text = bpf_text.replace('FILTER_UID', '')
bpf_text = bpf_text.replace('FILTER_ERRORS', '')
# selecting output format - 80 characters or wide, fitting IPv6 addresses
header_fmt = "%8s %-12.12s %-4s %-15s %-5s %5s %2s"
output_fmt = b"%8d %-12.12s %-4.4s %-15.15s %5d %-5s %2d"
error_header_fmt = "%3s "
error_output_fmt = b"%3s "
error_value_fmt = str
if args.wide:
header_fmt = "%10s %-12.12s %-4s %-39s %-5s %5s %2s"
output_fmt = b"%10d %-12.12s %-4s %-39s %5d %-5s %2d"
error_header_fmt = "%-25s "
parser = argparse.ArgumentParser(
description="Trace system tps",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=examples)
parser.add_argument("--cgroupmap", help="trace cgroups in this BPF map only")
parser.add_argument("--mntnsmap",
help="trace mount namespaces in this BPF map only")
args = parser.parse_args()
# read BPF program
module_path = os.path.dirname(__file__)
filename = module_path + '/exit.c'
with open(filename, mode="r") as file:
prog = file.read()
prog = filter_by_containers(args) + prog
# load BPF program
b = BPF(text=prog)
# header
print("Start monitoring the sys_read system call")
def sys_exit_close(cpu, data, size):
event = b["close_events"].event(data)
print(
str(event.comm) + " " + str(event.pid) + " " + str(event.fd) +
" " + str(event.ret))
