aserper · March 19, 2024 14:43
diff --git a/gistfile1.txt b/gistfile1.txt
 from bcc import BPF

 # Define the eBPF program
 prog = """
 #include <uapi/linux/ptrace.h>

 // Instrument the chmod syscall entry
 TRACEPOINT_PROBE(syscalls, sys_enter_chmod) {
    // args is a built-in structure provided by the tracepoint
    // It contains all the arguments of the syscall being traced
    const char *filename = (const char *)args->filename;
    u32 mode = args->mode;

    // Log the filename and mode
    bpf_trace_printk("chmod called on %s with mode %o\\n", filename, mode);
    return 0;
 }
 """

 # Load eBPF program
 b = BPF(text=prog)

 # Print the output of bpf_trace_printk
 print("Tracing chmod syscalls... Hit Ctrl-C to end.")
 while True:
    try:
        (task, pid, cpu, flags, ts, msg) = b.trace_fields()
        print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))
    except KeyboardInterrupt:
        exit()
	from bcc import BPF

	# Define the eBPF program
	prog = """
	#include <uapi/linux/ptrace.h>

	// Instrument the chmod syscall entry
	TRACEPOINT_PROBE(syscalls, sys_enter_chmod) {
	// args is a built-in structure provided by the tracepoint
	// It contains all the arguments of the syscall being traced
	const char filename = (const char )args->filename;
	u32 mode = args->mode;

	// Log the filename and mode
	bpf_trace_printk("chmod called on %s with mode %o\\n", filename, mode);
	return 0;
	}
	"""

	# Load eBPF program
	b = BPF(text=prog)

	# Print the output of bpf_trace_printk
	print("Tracing chmod syscalls... Hit Ctrl-C to end.")
	while True:
	try:
	(task, pid, cpu, flags, ts, msg) = b.trace_fields()
	print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))
	except KeyboardInterrupt:
	exit()