Using the opensnoop.py from iovisor/bcc, I'm trying to extend the ebpf code to handle extraction of full paths from a relative one.
For example, running opensnoop.py and in another terminal running cat anything.txt, the output in opensnoop will show the relative filename, not an absolute path:
$ sudo ./venv/bin/python bcc/tools/opensnoop.py | grep anything.txt &
$ cat anything.txt 2>/dev/null
19536 cat -1 2 anything.txt
$ cat /tmp/anything.txt 2>/dev/null
19540 cat -1 2 /tmp/anything.txt
I've narrored down the code block in opensnoop.py that i should look into amending, and adding in some logic similar to:
// .. existing code
bpf_probe_read_user(&data.fname, sizeof(data.fname), (void *)filename);
data.id = id;
data.ts = tsp / 1000;
data.uid = bpf_get_current_uid_gid();
data.flags = flags; // EXTENDED_STRUCT_MEMBER
data.ret = ret;
// new code to handle relative paths:
if (data.fname[0] != '/' && data.fname[0] != '\\0') {
// TODO if filename doesn't start with a /, need to convert relative path to abs
struct fs_struct *fs = ((struct task_struct *) bpf_get_current_task())->fs;
// TODO: get pwd path from fs->pwd
struct path *pwd_path = &fs->pwd // ?
// TODO: call bpf_d_path(pwd_path, buf, sz)
// TODO: update data.fname to insert buf pwd)
}
events.perf_submit(ctx, &data, sizeof(data));
Where I'm stuck is the TODO parts, there doesn't seem to be many / any good examples of using the new bpf_d_path helper function
