18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Hook into 'openat' syscall entry tracepoint 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Test it with: 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * perf trace -e tools/perf/examples/bpf/sys_enter_openat.c cat /etc/passwd > /dev/null 88c2ecf20Sopenharmony_ci * 98c2ecf20Sopenharmony_ci * It'll catch some openat syscalls related to the dynamic linked and 108c2ecf20Sopenharmony_ci * the last one should be the one for '/etc/passwd'. 118c2ecf20Sopenharmony_ci * 128c2ecf20Sopenharmony_ci * The syscall_enter_openat_args can be used to get the syscall fields 138c2ecf20Sopenharmony_ci * and use them for filtering calls, i.e. use in expressions for 148c2ecf20Sopenharmony_ci * the return value. 158c2ecf20Sopenharmony_ci */ 168c2ecf20Sopenharmony_ci 178c2ecf20Sopenharmony_ci#include <bpf/bpf.h> 188c2ecf20Sopenharmony_ci 198c2ecf20Sopenharmony_cistruct syscall_enter_openat_args { 208c2ecf20Sopenharmony_ci unsigned long long unused; 218c2ecf20Sopenharmony_ci long syscall_nr; 228c2ecf20Sopenharmony_ci long dfd; 238c2ecf20Sopenharmony_ci char *filename_ptr; 248c2ecf20Sopenharmony_ci long flags; 258c2ecf20Sopenharmony_ci long mode; 268c2ecf20Sopenharmony_ci}; 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_ciint syscall_enter(openat)(struct syscall_enter_openat_args *args) 298c2ecf20Sopenharmony_ci{ 308c2ecf20Sopenharmony_ci return 1; 318c2ecf20Sopenharmony_ci} 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_cilicense(GPL); 34