opensnoop: supported uid options
diff --git a/tools/opensnoop.py b/tools/opensnoop.py
index 2a00737..2e84e02 100755
--- a/tools/opensnoop.py
+++ b/tools/opensnoop.py
@@ -13,6 +13,7 @@
# 29-Apr-2016 Allan McAleavy Updated for BPF_PERF_OUTPUT.
# 08-Oct-2016 Dina Goldshtein Support filtering by PID and TID.
# 28-Dec-2018 Tim Douglas Print flags argument, enable filtering
+# 06-Jan-2019 Takuma Kume Support filtering by UID
from __future__ import print_function
from bcc import ArgString, BPF
@@ -25,9 +26,11 @@
examples = """examples:
./opensnoop # trace all open() syscalls
./opensnoop -T # include timestamps
+ ./opensnoop -U # include UID
./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181
./opensnoop -t 123 # only trace TID 123
+ ./opensnoop -u 1000 # only trace UID 1000
./opensnoop -d 10 # trace for 10 seconds only
./opensnoop -n main # only print process names containing "main"
./opensnoop -e # show extended fields
@@ -39,12 +42,16 @@
epilog=examples)
parser.add_argument("-T", "--timestamp", action="store_true",
help="include timestamp on output")
+parser.add_argument("-U", "--print-uid", action="store_true",
+ help="print UID column")
parser.add_argument("-x", "--failed", action="store_true",
help="only show failed opens")
parser.add_argument("-p", "--pid",
help="trace this PID only")
parser.add_argument("-t", "--tid",
help="trace this TID only")
+parser.add_argument("-u", "--uid",
+ help="trace this UID only")
parser.add_argument("-d", "--duration",
help="total duration of trace in seconds")
parser.add_argument("-n", "--name",
@@ -85,6 +92,7 @@
struct data_t {
u64 id;
u64 ts;
+ u32 uid;
int ret;
char comm[TASK_COMM_LEN];
char fname[NAME_MAX];
@@ -100,8 +108,10 @@
u64 id = bpf_get_current_pid_tgid();
u32 pid = id >> 32; // PID is higher part
u32 tid = id; // Cast and get the lower part
+ u32 uid = bpf_get_current_uid_gid();
PID_TID_FILTER
+ UID_FILTER
FLAGS_FILTER
if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
val.id = id;
@@ -130,6 +140,7 @@
bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
data.id = valp->id;
data.ts = tsp / 1000;
+ data.uid = bpf_get_current_uid_gid();
data.flags = valp->flags; // EXTENDED_STRUCT_MEMBER
data.ret = PT_REGS_RC(ctx);
@@ -147,6 +158,11 @@
'if (pid != %s) { return 0; }' % args.pid)
else:
bpf_text = bpf_text.replace('PID_TID_FILTER', '')
+if args.uid:
+ bpf_text = bpf_text.replace('UID_FILTER',
+ 'if (uid != %s) { return 0; }' % args.uid)
+else:
+ bpf_text = bpf_text.replace('UID_FILTER', '')
if args.flag_filter:
bpf_text = bpf_text.replace('FLAGS_FILTER',
'if (!(flags & %d)) { return 0; }' % flag_filter_mask)
@@ -172,6 +188,7 @@
_fields_ = [
("id", ct.c_ulonglong),
("ts", ct.c_ulonglong),
+ ("uid", ct.c_uint32),
("ret", ct.c_int),
("comm", ct.c_char * TASK_COMM_LEN),
("fname", ct.c_char * NAME_MAX),
@@ -183,6 +200,8 @@
# header
if args.timestamp:
print("%-14s" % ("TIME(s)"), end="")
+if args.print_uid:
+ print("%-6s" % ("UID"), end="")
print("%-6s %-16s %4s %3s " %
("TID" if args.tid else "PID", "COMM", "FD", "ERR"), end="")
if args.extended_fields:
@@ -215,6 +234,9 @@
delta = event.ts - initial_ts
print("%-14.9f" % (float(delta) / 1000000), end="")
+ if args.print_uid:
+ print("%-6d" % event.uid, end="")
+
print("%-6d %-16s %4d %3d " %
(event.id & 0xffffffff if args.tid else event.id >> 32,
event.comm.decode('utf-8', 'replace'), fd_s, err), end="")
