I have tried running opensnoop.py but using
fnname_open='do_sys_open'
(which I have seen in other scripts) instead of
fnname_open = b.get_syscall_prefix().decode() + 'open'
# = '__x86_sys_open' on Ubuntu 18.04
but the script then stops printing file names. What is causing the difference?
When using attach_kprobe(event=fn) is fn a system call or an event?
Do you get list of possible syscall from /proc/kallsyms as described here?
A BPF program attached to __x86_sys_open won't have the same result if you attach it to do_sys_open instead because those two functions don't have the same prototype:
long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode);
long sys_open(const char __user *filename, int flags, umode_t mode);
So the filename argument, for example, won't be stored in the same register depending on which function you trace. You will need to edit the BPF program as well to fix this.
