OpenTracer
- class duetector.tracers.bcc.openat2.OpenTracer(config: Config | dict[str, Any] | None = None, *args, **kwargs)[source]
Bases:
BccTracerA tracer for openat2 syscall.
- attach_type: str | None = 'kprobe'
Attatch type for
bcc.BPF, called asBPF.attatch_{attach_type},
- attatch_args: dict[str, str] = {'event': 'do_sys_openat2', 'fn_name': 'trace_entry'}
Args for attatch function.
- data_t
alias of
OpenTracking
- default_config = {'attach_event': 'do_sys_openat2', 'disabled': False, 'poll_timeout': 10}
Default config for this tracer.
- name: str | None = 'do_sys_openat2'
Name for this tracer. Will be used for collecting data.
- property poll_args
dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object’s
(key, value) pairs
- dict(iterable) -> new dictionary initialized as if via:
d = {} for k, v in iterable:
d[k] = v
- dict(**kwargs) -> new dictionary initialized with the name=value pairs
in the keyword argument list. For example: dict(one=1, two=2)
- poll_fn: str = 'ring_buffer_poll'
Poll function name in
bcc.BPF
- prog: str = '\n #include <linux/sched.h>\n #include <linux/fs_struct.h>\n\n struct data_t {\n u32 pid;\n u32 uid;\n u32 gid;\n char comm[TASK_COMM_LEN];\n char fname[NAME_MAX];\n\n u64 timestamp;\n };\n\n BPF_RINGBUF_OUTPUT(buffer, 1 << 4);\n\n int trace_entry(struct pt_regs *ctx, int dfd, const char __user *filename, struct open_how *how) {\n struct data_t data = {};\n data.pid = bpf_get_current_pid_tgid();\n data.uid = bpf_get_current_uid_gid();\n data.gid = bpf_get_current_uid_gid() >> 32;\n data.timestamp = bpf_ktime_get_ns();\n bpf_get_current_comm(&data.comm, sizeof(data.comm));\n bpf_probe_read_user_str(&data.fname, sizeof(data.fname), filename);\n buffer.ringbuf_output(&data, sizeof(data), 0);\n return 0;\n }\n '
bpf program