From 0263fdd65ca8dea4452772ef6cfd06ed7c4b596a Mon Sep 17 00:00:00 2001
From: jxy_git <jiangxinyu@kylinos.cn>
Date: Mon, 26 Jun 2023 19:05:56 +0800
Subject: [PATCH] Load function newfstat unlinkat renameat into BPF virtual
 machine

---
 observation/src/filesnoop/filesnoop.bpf.c | 35 +++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/observation/src/filesnoop/filesnoop.bpf.c b/observation/src/filesnoop/filesnoop.bpf.c
index 52eb863e..9bf6e42c 100644
--- a/observation/src/filesnoop/filesnoop.bpf.c
+++ b/observation/src/filesnoop/filesnoop.bpf.c
@@ -334,3 +334,38 @@ int tracepoint_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx)
 {
 	return handle_file_syscall_exit(ctx, F_FSTATFS, ctx->ret);
 }
+
+SEC("tracepoint/syscalls/sys_exit_newfstat")
+int tracepoint_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx)
+{
+	return handle_file_syscall_enter(ctx, F_NEWFSTAT, (int)ctx->args[0]);
+}
+
+SEC("tracepoint/syscalls/sys_exit_newfstat")
+int tracepoint_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx)
+{
+	return handle_file_syscall_exit(ctx, F_NEWFSTAT, ctx->ret);
+}
+
+SEC("tracepoint/syscalls/sys_enter_unlinkat")
+int tracepoint_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx)
+{
+	return handle_file_syscall_enter(ctx, F_UNLINKAT, (int)ctx->args[0]);
+}
+SEC("tracepoint/syscalls/sys_exit_unlinkat")
+int tracepoint_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx)
+{
+	return handle_file_syscall_exit(ctx, F_UNLINKAT, ctx->ret);
+}
+
+SEC("tracepoint/syscalls/sys_enter_renameat")
+int tracepoint_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx)
+{
+	return handle_file_syscall_enter(ctx, F_RENAMEAT, (int)ctx->args[0]);
+}
+
+SEC("tracepoint/syscalls/sys_exit_renameat")
+int tracepoint_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx)
+{
+	return handle_file_syscall_exit(ctx, F_RENAMEAT, ctx->ret);
+}
-- 
Gitee