libbpf-tools: statsnoop: Support fstat(2) and parse fd/dirfd in userspace (#5233)

Added support for fstat system calls, and resolve file names and paths from fd
and dirfd in user mode.

Userspace test code:

    # fstatat.c
    dirfd = openat(AT_FDCWD, "./", O_RDONLY | O_CLOEXEC);
    fstatat(dirfd, argv[0], &buf, AT_SYMLINK_NOFOLLOW);
    fstatat(dirfd, "/etc/os-release", &buf, AT_SYMLINK_NOFOLLOW);

    # fstat.c
    fd = open("/etc/os-release", O_RDONLY);
    fstat(fd, &buf);
    fstat(AT_FDCWD, &buf);

Tracing:

  Before:

    $ sudo ./statsnoop -s
    PID     COMM                 RET  ERR  SYSCALL    PATH
    25719   fstatat              0    0    newfstatat ./fstatat        <no cwd>
    25719   fstatat              0    0    newfstatat /etc/os-release
    < couldn't tracing fstat(2) >

  This patch:

    $ sudo ./statsnoop -s
    PID     COMM                 RET  ERR  SYSCALL    PATH
    26794   fstatat              0    0    newfstatat /home/sdb/Git/tst-linux/syscall/samples/stat/./fstatat
    26794   fstatat              0    0    newfstatat /etc/os-release
    26797   fstat                0    0    newfstat   /usr/lib/os-release
    26800   fstat                -1   9    newfstat   /home/sdb/Git/tst-linux/syscall/samples/stat

Maybe this isn't a good approach, as it's possible that both the process and
the fd don't exist during parsing the fd and dirfd. Of course, this is
problematic for processes and fds that survive for a short period of time,
however, for long-running daemons, there is no problem.

Signed-off-by: Rong Tao <[email protected]>

Author: Rtoax

libbpf-tools/statsnoop.bpf.c

@@ -11,6 +11,8 @@ const volatile pid_t target_pid = 0;
 const volatile bool  trace_failed_only = false;
 
 struct value {
+	int fd;
+	int dirfd;
 	const char *pathname;
 	enum sys_type type;
 };
@@ -28,19 +30,22 @@ struct {
 	__uint(value_size, sizeof(__u32));
 } events SEC(".maps");
 
-static int probe_entry(void *ctx, enum sys_type type, const char *pathname)
+static int probe_entry(void *ctx, enum sys_type type, int fd, int dirfd,
+		       const char *pathname)
 {
 	__u64 id = bpf_get_current_pid_tgid();
 	__u32 pid = id >> 32;
 	__u32 tid = (__u32)id;
 	struct value value = {};
 
-	if (!pathname)
+	if (!pathname && fd == INVALID_FD)
 		return 0;
 
 	if (target_pid && target_pid != pid)
 		return 0;
 
+	value.fd = fd;
+	value.dirfd = dirfd;
 	value.pathname = pathname;
 	value.type = type;
 
@@ -70,7 +75,13 @@ static int probe_return(void *ctx, int ret)
 	event.ret = ret;
 	event.type = pvalue->type;
 	bpf_get_current_comm(&event.comm, sizeof(event.comm));
-	bpf_probe_read_user_str(event.pathname, sizeof(event.pathname), pvalue->pathname);
+	event.fd = pvalue->fd;
+	event.dirfd = pvalue->dirfd;
+	if (pvalue->pathname)
+		bpf_probe_read_user_str(event.pathname, sizeof(event.pathname),
+					pvalue->pathname);
+	else
+		event.pathname[0] = '\0';
 
 	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
 	bpf_map_delete_elem(&values, &tid);
@@ -80,7 +91,8 @@ static int probe_return(void *ctx, int ret)
 SEC("tracepoint/syscalls/sys_enter_statfs")
 int handle_statfs_entry(struct syscall_trace_enter *ctx)
 {
-	return probe_entry(ctx, SYS_STATFS, (const char *)ctx->args[0]);
+	return probe_entry(ctx, SYS_STATFS, INVALID_FD, INVALID_FD,
+			   (const char *)ctx->args[0]);
 }
 
 SEC("tracepoint/syscalls/sys_exit_statfs")
@@ -92,7 +104,8 @@ int handle_statfs_return(struct syscall_trace_exit *ctx)
 SEC("tracepoint/syscalls/sys_enter_newstat")
 int handle_newstat_entry(struct syscall_trace_enter *ctx)
 {
-	return probe_entry(ctx, SYS_NEWSTAT, (const char *)ctx->args[0]);
+	return probe_entry(ctx, SYS_NEWSTAT, INVALID_FD, INVALID_FD,
+			   (const char *)ctx->args[0]);
 }
 
 SEC("tracepoint/syscalls/sys_exit_newstat")
@@ -104,7 +117,8 @@ int handle_newstat_return(struct syscall_trace_exit *ctx)
 SEC("tracepoint/syscalls/sys_enter_statx")
 int handle_statx_entry(struct syscall_trace_enter *ctx)
 {
-	return probe_entry(ctx, SYS_STATX, (const char *)ctx->args[1]);
+	return probe_entry(ctx, SYS_STATX, INVALID_FD, (int)ctx->args[0],
+			   (const char *)ctx->args[1]);
 }
 
 SEC("tracepoint/syscalls/sys_exit_statx")
@@ -113,10 +127,25 @@ int handle_statx_return(struct syscall_trace_exit *ctx)
 	return probe_return(ctx, (int)ctx->ret);
 }
 
+SEC("tracepoint/syscalls/sys_enter_newfstat")
+int handle_newfstat_entry(struct syscall_trace_enter *ctx)
+{
+	return probe_entry(ctx, SYS_NEWFSTAT, (int)ctx->args[0], INVALID_FD,
+			   NULL);
+}
+
+SEC("tracepoint/syscalls/sys_exit_newfstat")
+int handle_newfstat_return(struct syscall_trace_exit *ctx)
+{
+	return probe_return(ctx, (int)ctx->ret);
+}
+
+
 SEC("tracepoint/syscalls/sys_enter_newfstatat")
 int handle_newfstatat_entry(struct syscall_trace_enter *ctx)
 {
-	return probe_entry(ctx, SYS_NEWFSTATAT, (const char *)ctx->args[1]);
+	return probe_entry(ctx, SYS_NEWFSTATAT, INVALID_FD, (int)ctx->args[0],
+			   (const char *)ctx->args[1]);
 }
 
 SEC("tracepoint/syscalls/sys_exit_newfstatat")
@@ -128,7 +157,8 @@ int handle_newfstatat_return(struct syscall_trace_exit *ctx)
 SEC("tracepoint/syscalls/sys_enter_newlstat")
 int handle_newlstat_entry(struct syscall_trace_enter *ctx)
 {
-	return probe_entry(ctx, SYS_NEWLSTAT, (const char *)ctx->args[0]);
+	return probe_entry(ctx, SYS_NEWLSTAT, INVALID_FD, INVALID_FD,
+			   (const char *)ctx->args[0]);
 }
 
 SEC("tracepoint/syscalls/sys_exit_newlstat")

libbpf-tools/statsnoop.c

@@ -3,8 +3,10 @@
 //
 // Based on statsnoop(8) from BCC by Brendan Gregg.
 // 09-May-2021   Hengqi Chen   Created this.
+// 15-Mar-2025   Rong Tao      Support fd and dirfd.
 #include <argp.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <signal.h>
 #include <time.h>
 #include <unistd.h>
@@ -58,6 +60,7 @@ static char *sys_names[] = {
 	[SYS_STATFS] = "statfs",
 	[SYS_NEWSTAT] = "newstat",
 	[SYS_STATX] = "statx",
+	[SYS_NEWFSTAT] = "newfstat",
 	[SYS_NEWFSTATAT] = "newfstatat",
 	[SYS_NEWLSTAT] = "newlstat",
 };
@@ -109,12 +112,44 @@ static void sig_int(int signo)
 	exiting = 1;
 }
 
+char *proc_fd_pathname(pid_t pid, int fd, int is_dir, char *buf, size_t buf_len)
+{
+	int err, n;
+	char fdpath[PATH_MAX];
+
+	if (fd == INVALID_FD)
+		goto skip;
+	else if (fd == AT_FDCWD)
+		snprintf(fdpath, PATH_MAX - 1, "/proc/%d/cwd", pid);
+	else
+		snprintf(fdpath, PATH_MAX - 1, "/proc/%d/fd/%d", pid, fd);
+
+	err = readlink(fdpath, buf, buf_len);
+	if (err == -1)
+		goto skip;
+
+	if (is_dir) {
+		/* Add '/' in the end of string */
+		n = strlen(buf);
+		buf[n] = '/';
+		buf[n + 1] = '\0';
+	}
+
+	return buf;
+
+skip:
+	/* maybe process already exit or fd already be closed, just ignore cwd
+	 * or skip no-exist pathname */
+	return "";
+}
+
 static void handle_event(void *ctx, int cpu, void *data, __u32 data_sz)
 {
 	static __u64 start_timestamp = 0;
 	struct event e;
 	int fd, err;
 	double ts = 0.0;
+	char fdpath[PATH_MAX] = {0}, dirfdpath[PATH_MAX] = {0};
 
 	if (data_sz < sizeof(e)) {
 		printf("Error: packet too small\n");
@@ -139,7 +174,11 @@ static void handle_event(void *ctx, int cpu, void *data, __u32 data_sz)
 	printf("%-7d %-20s %-4d %-4d", e.pid, e.comm, fd, err);
 	if (emit_sysname)
 		printf(" %-10s", sys_names[e.type]);
-	printf(" %-s\n", e.pathname);
+
+	printf(" %s%s%-s\n",
+		e.pathname[0] == '/' ? "" : proc_fd_pathname(e.pid, e.fd, 0, fdpath, PATH_MAX),
+		e.pathname[0] == '/' ? "" : proc_fd_pathname(e.pid, e.dirfd, 1, dirfdpath, PATH_MAX),
+		e.pathname);
 }
 
 static void handle_lost_events(void *ctx, int cpu, __u64 lost_cnt)
@@ -196,6 +235,10 @@ int main(int argc, char **argv)
 		bpf_program__set_autoload(obj->progs.handle_newfstatat_entry, false);
 		bpf_program__set_autoload(obj->progs.handle_newfstatat_return, false);
 	}
+	if (!tracepoint_exists("syscalls", "sys_enter_newfstat")) {
+		bpf_program__set_autoload(obj->progs.handle_newfstat_entry, false);
+		bpf_program__set_autoload(obj->progs.handle_newfstat_return, false);
+	}
 	if (!tracepoint_exists("syscalls", "sys_enter_newlstat")) {
 		bpf_program__set_autoload(obj->progs.handle_newlstat_entry, false);
 		bpf_program__set_autoload(obj->progs.handle_newlstat_return, false);

libbpf-tools/statsnoop.h

@@ -9,6 +9,7 @@ enum sys_type {
 	SYS_STATFS = 1,
 	SYS_NEWSTAT,
 	SYS_STATX,
+	SYS_NEWFSTAT,
 	SYS_NEWFSTATAT,
 	SYS_NEWLSTAT,
 };
@@ -19,6 +20,14 @@ struct event {
 	enum sys_type type;
 	int ret;
 	char comm[TASK_COMM_LEN];
+
+	/**
+	 * fd: fstat(2)
+	 * dirfd: statx(2), fstatat(2)
+	 */
+#define INVALID_FD	(-1)
+	int fd;
+	int dirfd;
 	char pathname[NAME_MAX];
 };