As a user of the EventsTrace program I want to be able to see printed on screen when I file is renamed.
As a user of the libebpf library I want to be able to receive file rename events when calling ebpf_event_ctx__next
Data needed
Field
Type
Description
File Name
char[256]
New name of the file being renamed
Full File Path (source)
char[4096]
Full source path of the file being renamed
File File Path (destination)
char[4096]
Full destination path of the file being renamed
Probe
As a starting point , some possible hooking points for this event could be:
fexit on int do_renameat2(int olddfd, struct filename *from, int newdfd, struct filename *to, unsigned int flags)
~fexit on int security_path_rename(const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry, unsigned int flags); - needs a kernel compiled with CONFIG_SECURITY_PATH~ We can't do this, see this comment https://github.com/elastic/ebpf/issues/46#issuecomment-1000455585
fexit on int vfs_rename(struct renamedata *rd)
Action items
[ ] Write one or more probes that can catch when a file is renamed
[ ] Write BPF_PROG_TEST_RUN tests for the probes (if supported)
[ ] Write integration tests for the probes
[ ] Hook the event to be printed by the EventsTrace program
Stories
EventsTraceprogram I want to be able to see printed on screen when I file is renamed.ebpf_event_ctx__nextData needed
Probe
As a starting point , some possible hooking points for this event could be:
int do_renameat2(int olddfd, struct filename *from, int newdfd, struct filename *to, unsigned int flags)int security_path_rename(const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry, unsigned int flags);- needs a kernel compiled withCONFIG_SECURITY_PATH~ We can't do this, see this comment https://github.com/elastic/ebpf/issues/46#issuecomment-1000455585int vfs_rename(struct renamedata *rd)Action items
EventsTraceprogram