1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Copyright (c) 2017 Facebook 3 */ 4 #include <uapi/linux/bpf.h> 5 #include <bpf/bpf_helpers.h> 6 7 struct syscalls_enter_open_args { 8 unsigned long long unused; 9 long syscall_nr; 10 long filename_ptr; 11 long flags; 12 long mode; 13 }; 14 15 struct syscalls_exit_open_args { 16 unsigned long long unused; 17 long syscall_nr; 18 long ret; 19 }; 20 21 struct { 22 __uint(type, BPF_MAP_TYPE_ARRAY); 23 __type(key, u32); 24 __type(value, u32); 25 __uint(max_entries, 1); 26 } enter_open_map SEC(".maps"); 27 28 struct { 29 __uint(type, BPF_MAP_TYPE_ARRAY); 30 __type(key, u32); 31 __type(value, u32); 32 __uint(max_entries, 1); 33 } exit_open_map SEC(".maps"); 34 35 static __always_inline void count(void *map) 36 { 37 u32 key = 0; 38 u32 *value, init_val = 1; 39 40 value = bpf_map_lookup_elem(map, &key); 41 if (value) 42 *value += 1; 43 else 44 bpf_map_update_elem(map, &key, &init_val, BPF_NOEXIST); 45 } 46 47 #if !defined(__aarch64__) 48 SEC("tracepoint/syscalls/sys_enter_open") 49 int trace_enter_open(struct syscalls_enter_open_args *ctx) 50 { 51 count(&enter_open_map); 52 return 0; 53 } 54 #endif 55 56 SEC("tracepoint/syscalls/sys_enter_openat") 57 int trace_enter_open_at(struct syscalls_enter_open_args *ctx) 58 { 59 count(&enter_open_map); 60 return 0; 61 } 62 63 SEC("tracepoint/syscalls/sys_enter_openat2") 64 int trace_enter_open_at2(struct syscalls_enter_open_args *ctx) 65 { 66 count(&enter_open_map); 67 return 0; 68 } 69 70 #if !defined(__aarch64__) 71 SEC("tracepoint/syscalls/sys_exit_open") 72 int trace_enter_exit(struct syscalls_exit_open_args *ctx) 73 { 74 count(&exit_open_map); 75 return 0; 76 } 77 #endif 78 79 SEC("tracepoint/syscalls/sys_exit_openat") 80 int trace_enter_exit_at(struct syscalls_exit_open_args *ctx) 81 { 82 count(&exit_open_map); 83 return 0; 84 } 85 86 SEC("tracepoint/syscalls/sys_exit_openat2") 87 int trace_enter_exit_at2(struct syscalls_exit_open_args *ctx) 88 { 89 count(&exit_open_map); 90 return 0; 91 } 92