libbpf-tools/opensnoop: Display mode for extended fields

Do the same thing of [1] and add tracepoint/syscalls/sys_enter_openat2 support. Link: e80ad4d [1] Signed-off-by: Rong Tao <[email protected]>
iovisor · Feb 5, 2025 · 113fbb0 · 113fbb0
1 parent e80ad4d
commit 113fbb0
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 2 deletions.
diff --git a/libbpf-tools/opensnoop.bpf.c b/libbpf-tools/opensnoop.bpf.c
@@ -5,6 +5,13 @@
 #include <bpf/bpf_helpers.h>
 #include "opensnoop.h"
 
+#ifndef O_CREAT
+#define O_CREAT		00000100
+#endif
+#ifndef O_TMPFILE
+#define O_TMPFILE	020200000
+#endif
+
 const volatile pid_t targ_pid = 0;
 const volatile pid_t targ_tgid = 0;
 const volatile uid_t targ_uid = 0;
@@ -59,6 +66,7 @@ int tracepoint__syscalls__sys_enter_open(struct syscall_trace_enter* ctx)
 		struct args_t args = {};
 		args.fname = (const char *)ctx->args[0];
 		args.flags = (int)ctx->args[1];
+		args.mode = (__u32)ctx->args[2];
 		bpf_map_update_elem(&start, &pid, &args, 0);
 	}
 	return 0;
@@ -77,11 +85,34 @@ int tracepoint__syscalls__sys_enter_openat(struct syscall_trace_enter* ctx)
 		struct args_t args = {};
 		args.fname = (const char *)ctx->args[1];
 		args.flags = (int)ctx->args[2];
+		args.mode = (__u32)ctx->args[3];
 		bpf_map_update_elem(&start, &pid, &args, 0);
 	}
 	return 0;
 }
 
+SEC("tracepoint/syscalls/sys_enter_openat2")
+int tracepoint__syscalls__sys_enter_openat2(struct syscall_trace_enter* ctx)
+{
+	u64 id = bpf_get_current_pid_tgid();
+	/* use kernel terminology here for tgid/pid: */
+	u32 tgid = id >> 32;
+	u32 pid = id;
+
+	/* store arg info for later lookup */
+	if (trace_allowed(tgid, pid)) {
+		struct args_t args = {};
+		struct open_how how = {};
+		args.fname = (const char *)ctx->args[1];
+		bpf_probe_read_user(&how, sizeof(how), (void *)ctx->args[2]);
+		args.flags = (int)how.flags;
+		args.mode = (__u32)how.mode;
+		bpf_map_update_elem(&start, &pid, &args, 0);
+	}
+	return 0;
+}
+
+
 static __always_inline
 int trace_exit(struct syscall_trace_exit* ctx)
 {
@@ -104,6 +135,12 @@ int trace_exit(struct syscall_trace_exit* ctx)
 	bpf_get_current_comm(&event.comm, sizeof(event.comm));
 	bpf_probe_read_user_str(&event.fname, sizeof(event.fname), ap->fname);
 	event.flags = ap->flags;
+
+	if (ap->flags & O_CREAT || (ap->flags & O_TMPFILE) == O_TMPFILE)
+		event.mode = ap->mode;
+	else
+		event.mode = 0;
+
 	event.ret = ret;
 
 	bpf_get_stack(ctx, &stack, sizeof(stack),
@@ -133,4 +170,10 @@ int tracepoint__syscalls__sys_exit_openat(struct syscall_trace_exit* ctx)
 	return trace_exit(ctx);
 }
 
+SEC("tracepoint/syscalls/sys_exit_openat2")
+int tracepoint__syscalls__sys_exit_openat2(struct syscall_trace_exit* ctx)
+{
+	return trace_exit(ctx);
+}
+
 char LICENSE[] SEC("license") = "GPL";
diff --git a/libbpf-tools/opensnoop.c b/libbpf-tools/opensnoop.c
@@ -4,7 +4,11 @@
 //
 // Based on opensnoop(8) from BCC by Brendan Gregg and others.
 // 14-Feb-2020   Brendan Gregg   Created this.
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
 #include <argp.h>
+#include <fcntl.h>
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -257,7 +261,11 @@ void handle_event(void *ctx, int cpu, void *data, __u32 data_sz)
 	printf("%-6d %-16s %3d %3d ", e.pid, e.comm, fd, err);
 	sps_cnt += 7 + 17 + 4 + 4;
 	if (env.extended) {
-		printf("%08o ", e.flags);
+		if (e.mode == 0 && (e.flags & O_CREAT) == 0 &&
+		    (e.flags & O_TMPFILE) != O_TMPFILE)
+			printf("%08o n/a  ", e.flags);
+		else
+			printf("%08o %04o ", e.flags, e.mode);
 		sps_cnt += 9;
 	}
 	printf("%s\n", e.fname);
@@ -328,6 +336,15 @@ int main(int argc, char **argv)
 		bpf_program__set_autoload(obj->progs.tracepoint__syscalls__sys_exit_open, false);
 	}
 
+	/**
+	 * linux since v5.5 support openat2(2), commit fddb5d430ad9 ("open:
+	 * introduce openat2(2) syscall").
+	 */
+	if (!tracepoint_exists("syscalls", "sys_enter_openat2")) {
+		bpf_program__set_autoload(obj->progs.tracepoint__syscalls__sys_enter_openat2, false);
+		bpf_program__set_autoload(obj->progs.tracepoint__syscalls__sys_exit_openat2, false);
+	}
+
 	err = opensnoop_bpf__load(obj);
 	if (err) {
 		fprintf(stderr, "failed to load BPF object: %d\n", err);
@@ -352,7 +369,7 @@ int main(int argc, char **argv)
 		printf("%-7s ", "UID");
 	printf("%-6s %-16s %3s %3s ", "PID", "COMM", "FD", "ERR");
 	if (env.extended)
-		printf("%-8s ", "FLAGS");
+		printf("%-8s %-5s ", "FLAGS", "MODE");
 	printf("%s", "PATH");
 #ifdef USE_BLAZESYM
 	if (env.callers)

diff --git a/libbpf-tools/opensnoop.h b/libbpf-tools/opensnoop.h
@@ -9,6 +9,7 @@
 struct args_t {
 	const char *fname;
 	int flags;
+	__u32 mode;
 };
 
 struct event {
@@ -18,6 +19,7 @@ struct event {
 	uid_t uid;
 	int ret;
 	int flags;
+	__u32 mode;
 	__u64 callers[2];
 	char comm[TASK_COMM_LEN];
 	char fname[NAME_MAX];