Is it possible to trace through what is being read through a text file using eBPF? There are ways to see the amount of memory being used and count reads and writes but I would like to even output the user data using bpf_trace_print if possible.
1 回答
0
我认为这需要跟踪open()(或openat())系统调用并将其(特别是 fd)与跟踪的read调用相关联。
/sys/kernel/debug/tracing/events/syscalls/sys_enter_read/format定义可以访问哪些系统调用参数。您可能感兴趣的是char *buf缓冲区指针,它read()放置已读取的字节。
但是,跟踪调用可能发生在读取任何字节之前(需要检查内核源代码)。因此,可能更可靠的方法是使用BPF_PROG_TYPE_RAW_TRACEPOINT在 read() 返回时挂钩的原始跟踪点 ()。
于 2021-06-10T13:37:41.693 回答