tools/opensnoop: Use do_sys_open for kprobe hook

Systems such as Android mostly use openat which makes us miss all attempts to open. Instead use do_sys_open for the kprobe hook where all the open calls finally end up, so that we don't miss anything. Signed-off-by: Joel Fernandes <[email protected]>
tkuburic · Jan 28, 2018 · 9af548f · 9af548f
1 parent 0d5084d
commit 9af548f
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/tools/opensnoop.py b/tools/opensnoop.py
@@ -68,7 +68,7 @@
 BPF_HASH(infotmp, u64, struct val_t);
 BPF_PERF_OUTPUT(events);
 
-int trace_entry(struct pt_regs *ctx, const char __user *filename)
+int trace_entry(struct pt_regs *ctx, int dfd, const char __user *filename)
 {
  struct val_t val = {};
  u64 id = bpf_get_current_pid_tgid();
@@ -124,8 +124,8 @@
 
 # initialize BPF
 b = BPF(text=bpf_text)
-b.attach_kprobe(event="sys_open", fn_name="trace_entry")
-b.attach_kretprobe(event="sys_open", fn_name="trace_return")
+b.attach_kprobe(event="do_sys_open", fn_name="trace_entry")
+b.attach_kretprobe(event="do_sys_open", fn_name="trace_return")
 
 TASK_COMM_LEN = 16 # linux/sched.h
 NAME_MAX = 255 # linux/limits.h