tools/opensnoop: Use do_sys_open for kprobe hook

Systems such as Android mostly use openat which makes us miss all attempts to open. Instead use do_sys_open for the kprobe hook where all the open calls finally end up, so that we don't miss anything. Signed-off-by: Joel Fernandes <joelaf@google.com>

tools/opensnoop: Use do_sys_open for kprobe hook
Systems such as Android mostly use openat which makes us miss all attempts to open. Instead use do_sys_open for the kprobe hook where all the open calls finally end up, so that we don't miss anything. Signed-off-by: Joel Fernandes <joelaf@google.com>
9af548f9 · Joel Fernandes · 0d5084da · 9af548f9
Commit 9af548f9 authored Jan 07, 2018 by Joel Fernandes
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

tools/opensnoop.py tools/opensnoop.py +3 -3

No files found.
--- a/tools/opensnoop.py
+++ b/tools/opensnoop.py
@@ -68,7 +68,7 @@ struct data_t {
 BPF_HASH(infotmp, u64, struct val_t);
 BPF_PERF_OUTPUT(events);

-int trace_entry(struct pt_regs *ctx, const char __user *filename)
+int trace_entry(struct pt_regs *ctx, int dfd, const char __user *filename)
 {
    struct val_t val = {};
    u64 id = bpf_get_current_pid_tgid();
@@ -124,8 +124,8 @@ if debug:

 # initialize BPF
 b = BPF(text=bpf_text)
-b.attach_kprobe(event="sys_open", fn_name="trace_entry")
-b.attach_kretprobe(event="sys_open", fn_name="trace_return")
+b.attach_kprobe(event="do_sys_open", fn_name="trace_entry")
+b.attach_kretprobe(event="do_sys_open", fn_name="trace_return")

 TASK_COMM_LEN = 16    # linux/sched.h
 NAME_MAX = 255        # linux/limits.h