1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
From 8e12b10e7576a6d47e0dc2cdc36caeb9ba26fa12 Mon Sep 17 00:00:00 2001
From: He Zhe <zhe.he@windriver.com>
Date: Mon, 15 Jun 2020 07:05:24 +0000
Subject: [PATCH] tools: opensnoop: snoop do_sys_openat2 for kernel v5.6 and
later
Since kernel v5.6, fddb5d430ad9 ("open: introduce openat2(2) syscall"),
do_sys_openat2 instead of do_sys_open has been used as entry function for open.
Upstream-Status: Inappropriate, upstream context has changed and needs more
tweak.
Signed-off-by: He Zhe <zhe.he@windriver.com>
---
tools/opensnoop.py | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/tools/opensnoop.py b/tools/opensnoop.py
index 51d3dc05..522812d4 100755
--- a/tools/opensnoop.py
+++ b/tools/opensnoop.py
@@ -22,6 +22,8 @@ from bcc.utils import printb
import argparse
from datetime import datetime, timedelta
import os
+import platform
+from pkg_resources import parse_version
# arguments
examples = """examples:
@@ -235,8 +237,14 @@ if debug or args.ebpf:
# initialize BPF
b = BPF(text=bpf_text)
if not is_support_kfunc:
- b.attach_kprobe(event="do_sys_open", fn_name="trace_entry")
- b.attach_kretprobe(event="do_sys_open", fn_name="trace_return")
+ # Since kernel v5.6, do_sys_openat2 instead of do_sys_open has been used as entry function for open
+ if parse_version(platform.uname().release.split('-')[0]) > parse_version('5.6.0'):
+ entry = "do_sys_openat2"
+ else:
+ entry = "do_sys_open"
+
+ b.attach_kprobe(event=entry, fn_name="trace_entry")
+ b.attach_kretprobe(event=entry, fn_name="trace_return")
initial_ts = 0
--
2.17.1
|
