ktosiek · September 26, 2020 20:36
diff --git a/chmod.bt b/chmod.bt
 // Monitor all chmods and renames in the system.
 // Some of those take an fd, so also track all openat calls to know where the files live.

 tracepoint:syscalls:sys_enter_chmod {
  printf("%u %s %s %u\n", pid, comm, str(args->filename), args->mode);
 }

 tracepoint:syscalls:sys_enter_fchmod {
  printf("%u %s %u %s %u\n", pid, comm, args->fd, @fds[pid, args->fd], args->mode);
 }

 tracepoint:syscalls:sys_enter_fchmodat {
  printf("%u %s %s %u\n", pid, comm, str(args->filename), args->mode);
 }

 tracepoint:syscalls:sys_enter_renameat {
  printf("%u %s %s %s\n", pid, comm, str(args->oldname), str(args->newname));
 }

 tracepoint:syscalls:sys_enter_renameat2 {
  printf("%u %s %s %s\n", pid, comm, str(args->oldname), str(args->newname));
 }

 tracepoint:syscalls:sys_enter_openat {
  @openat[pid] = str(args->filename);
 }

 tracepoint:syscalls:sys_exit_openat {
  @fds[pid, args->ret] = @openat[pid];
  delete(@openat[pid]);
 }

 END { clear(@fds) }
	// Monitor all chmods and renames in the system.
	// Some of those take an fd, so also track all openat calls to know where the files live.

	tracepoint:syscalls:sys_enter_chmod {
	printf("%u %s %s %u\n", pid, comm, str(args->filename), args->mode);
	}

	tracepoint:syscalls:sys_enter_fchmod {
	printf("%u %s %u %s %u\n", pid, comm, args->fd, @fds[pid, args->fd], args->mode);
	}

	tracepoint:syscalls:sys_enter_fchmodat {
	printf("%u %s %s %u\n", pid, comm, str(args->filename), args->mode);
	}

	tracepoint:syscalls:sys_enter_renameat {
	printf("%u %s %s %s\n", pid, comm, str(args->oldname), str(args->newname));
	}

	tracepoint:syscalls:sys_enter_renameat2 {
	printf("%u %s %s %s\n", pid, comm, str(args->oldname), str(args->newname));
	}

	tracepoint:syscalls:sys_enter_openat {
	@openat[pid] = str(args->filename);
	}

	tracepoint:syscalls:sys_exit_openat {
	@fds[pid, args->ret] = @openat[pid];
	delete(@openat[pid]);
	}

	END { clear(@fds) }