From 9d8f1ad05e44dae7d958c79594046e2da13b5005 Mon Sep 17 00:00:00 2001
From: jxy_git <jiangxinyu@kylinos.cn>
Date: Wed, 21 Jun 2023 16:05:02 +0800
Subject: [PATCH] Trace files are opened and inodes are created and processed

---
 observation/src/filelife/filelife.bpf.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/observation/src/filelife/filelife.bpf.c b/observation/src/filelife/filelife.bpf.c
index e44fb840..b8300ef7 100644
--- a/observation/src/filelife/filelife.bpf.c
+++ b/observation/src/filelife/filelife.bpf.c
@@ -56,3 +56,22 @@ int BPF_KPROBE(vfs_create, void *arg0, void *arg1, void *arg2)
 	else
 		return probe_create(arg1);
 }
+
+SEC("kprobe/vfs_open")
+int BPF_KPROBE(vfs_open, struct path *path, struct file *file)
+{
+	struct dentry *dentry = BPF_CORE_READ(path, dentry);
+	int fmode = BPF_CORE_READ(file, f_mode);
+
+	if (!(fmode & FMODE_CREATED))
+		return 0;
+
+	return probe_create(dentry);
+}
+
+SEC("kprobe/security_inode_create")
+int BPF_KPROBE(security_inode_create, struct inode *dir,
+	       struct dentry *dentry)
+{
+	return probe_create(dentry);
+}
-- 
Gitee