search

iovisor / bcc

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Apache License 2.0
20.59k stars 3.88k forks source link

libbpf-tools/filelife: Fix error tracking caused by failed unlink #4798

Closed Rtoax closed 1 year ago

Rtoax commented 1 year ago

When we try to delete a file with a normal user after creating a file as root (sudo), the deletion of the file fails, but the kprobe:vfs_unlink is triggered, which leads to incorrect file lifecycle tracking.

This commit makes the same changes [1] as tools/filelife.py, or you can see bcc [2] commit 076ccf079dbb ("tools/filelife: Fix error tracking caused by failed unlink").

  Terminal 1:

    $ sudo ./filelife.py

  Terminal 2:

    $ sudo touch /etc/a.txt
    $ rm /etc/a.txt
    rm: remove write-protected regular empty file '/etc/a.txt'? y
    rm: cannot remove '/etc/a.txt': Permission denied

  Then, terminal 1:

    $ sudo ./filelife.py
    TIME     PID     COMM             AGE(s)  FILE
    12:24:11 4988    rm               7.13    a.txt   <<< wrong statistic

[1] https://github.com/iovisor/bcc/pull/4791 [2] https://github.com/iovisor/bcc/commit/076ccf079dbbbd505cd4f6fa511e67f5f1ee9058