Skip to content

examples: Add chmodsnoop example for tracing chmod() syscalls #5426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

examples: Add chmodsnoop example for tracing chmod() syscalls #5426

wants to merge 1 commit into from

Conversation

@MSScaleXiaohei
Copy link

@MSScaleXiaohei MSScaleXiaohei commented Nov 21, 2025

Pull Request Description

Summary

This PR adds a new example chmodsnoop to the BCC project, demonstrating how to trace chmod() system calls using BCC and eBPF.

Changes

  • examples/tracing/chmodsnoop.py: Main example script that traces chmod() syscalls
  • examples/tracing/chmodsnoop_example.txt: Example usage documentation

Features

The example demonstrates:

  • Tracing system calls using kprobes/kretprobes
  • Extracting string arguments from user space
  • Filtering by PID (-p option)
  • Showing only failed calls (-x option)
  • Including timestamps (-T option)
  • Formatting file permissions (mode) in octal format

Example Usage

# Trace all chmod() syscalls
sudo ./chmodsnoop

# Include timestamps
sudo ./chmodsnoop -T

# Only show failed calls
sudo ./chmodsnoop -x

# Filter by PID
sudo ./chmodsnoop -p 181

Testing

The code follows the same pattern as other tracing examples (e.g., statsnoop, opensnoop) and has been checked for:

  • ✅ Code style compliance
  • ✅ No linter errors
  • ✅ Follows project conventions
  • ✅ Proper documentation

Type of Change

  • New example (examples directory)
  • Bug fix
  • Performance improvement
  • Documentation update

Checklist

  • Code follows project style guidelines
  • Code is properly commented
  • Example documentation included
  • No breaking changes
  • Tested locally (basic syntax check)

Note: This is a simple example for the examples directory, focusing on demonstrating BCC capabilities rather than production use.

examples: Add chmodsnoop example for tracing chmod() syscalls
093d25b 
Add a simple example demonstrating how to trace chmod() system calls
using BCC and eBPF. This example shows:
- Tracing system calls with kprobes/kretprobes
- Extracting string arguments from user space
- Filtering by PID
- Handling syscall errors
- Formatting file permissions

The example includes:
- chmodsnoop.py: Main example script
- chmodsnoop_example.txt: Example usage documentation

This follows the same pattern as other tracing examples like
statsnoop and opensnoop.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenhengqi chenhengqi Awaiting requested review from chenhengqi chenhengqi is a code owner

@ekyooo ekyooo Awaiting requested review from ekyooo ekyooo is a code owner

@yonghong-song yonghong-song Awaiting requested review from yonghong-song yonghong-song is a code owner

@brendangregg brendangregg Awaiting requested review from brendangregg brendangregg is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MSScaleXiaohei