Hi all,

using ftrace events to trace the sys_open*() system calls seems to be a rather quick way to determine which files were used when running a program. E.g., recording the the start and the end of any open* system call while running ls /:

   # trace-cmd record --stderr  -e syscalls:sys_enter_open* -e
   syscalls:sys_exit_open* -c -F ls / 2>/dev/null

Printing the recorded trace yields::

   # trace-cmd report
   bin    dev    home        initrd.img.old  lib32  lost+found mnt 
   proc  run    snap  sys  usr    vmlinuz
   etc    initrd.img  lib            lib64  media       opt  root
   sbin    srv   tmp  var    vmlinuz.old
   version = 6
   CPU 0 is empty
   CPU 1 is empty
   CPU 3 is empty
   CPU 4 is empty
   CPU 5 is empty
   CPU 6 is empty
   CPU 7 is empty
                  ls-8307  [002] 15379.397993: sys_enter_open:
   filename: 0x7f471c8e9271, flags: 0x00080000, mode: 0x00000001
                  ls-8307  [002] 15379.398000: sys_exit_open: 0x3
                  ls-8307  [002] 15379.398012: sys_enter_open:
   filename: 0x7f471caf0d60, flags: 0x00080000, mode: 0x7f471caf0168
                  ls-8307  [002] 15379.398013: sys_exit_open: 0x3
                  ls-8307  [002] 15379.398043: sys_enter_open:
   filename: 0x7f471cad14c8, flags: 0x00080000, mode: 0x7f471caf0168
                  ls-8307  [002] 15379.398045: sys_exit_open: 0x3
                  ls-8307  [002] 15379.398070: sys_enter_open:
   filename: 0x7f471cad19a8, flags: 0x00080000, mode: 0x7f471cad1000
                  ls-8307  [002] 15379.398071: sys_exit_open: 0x3
                  ls-8307  [002] 15379.398092: sys_enter_open:
   filename: 0x7f471cad1e98, flags: 0x00080000, mode: 0x7f471cad1000
                  ls-8307  [002] 15379.398094: sys_exit_open: 0x3
                  ls-8307  [002] 15379.398113: sys_enter_open:
   filename: 0x7f471cad0548, flags: 0x00080000, mode: 0x7f471cad19d0
                  ls-8307  [002] 15379.398115: sys_exit_open: 0x3
                  ls-8307  [002] 15379.398326: sys_enter_open:
   filename: 0x7f471c6bfc15, flags: 0x00000000, mode: 0x000001b6
                  ls-8307  [002] 15379.398331: sys_exit_open: 0x3
                  ls-8307  [002] 15379.398375: sys_enter_open:
   filename: 0x7f471c470760, flags: 0x00080000, mode: 0x00000000
                  ls-8307  [002] 15379.398380: sys_exit_open: 0x3
                  ls-8307  [002] 15379.398428: sys_enter_open:
   filename: 0x01c97cc0, flags: 0x00090800, mode: 0x00000000
                  ls-8307  [002] 15379.398430: sys_exit_open: 0x3

Unfortunately, although ftrace prints the filename's address for each file being opened, I could not seen any way to obtain the filenames themselves.

Any ideas on how to get hold of the filenames would be great, thanks.



Kernelnewbies mailing list

Reply via email to