ioctl bpftrace script

ioctlsnoop.bt

#!/usr/bin/env bpftrace
/*
 * ioctlsnoop	Trace ioctl() syscalls.
 *		For Linux, uses bpftrace and eBPF.
 *
 * USAGE: ioctlsnoop.bt
 *
 * Copyright 2022 Jim Ma.
 * Licensed under the Apache License, Version 2.0 (the "License")
 *
 * 18-Dec-2022	Jim Ma	Created this.
 */

BEGIN
{
	printf("Tracing ioctl syscalls... Hit Ctrl-C to end.\n");
	printf("%-6s %-16s %4s %3s %s %s\n", "PID", "COMM", "FD", "ERR", "CMD", "PATH");
}

tracepoint:syscalls:sys_enter_open,
tracepoint:syscalls:sys_enter_openat
{
	@filename[tid] = args->filename;
}

tracepoint:syscalls:sys_exit_open,
tracepoint:syscalls:sys_exit_openat
//@filename[tid]
//@fd2filename[fd]
{
	$ret = args->ret;
	$fd = $ret > 0 ? $ret : -1;
	@fd2filename[$fd] = @filename[tid];
	delete(@filename[tid]);
}

tracepoint:syscalls:sys_enter_ioctl
{
        // save args
	@fds[tid] = args->fd;
	@cmd[tid] = args->cmd;
}

tracepoint:syscalls:sys_exit_ioctl
//@fds[tid]
//@cmd[tid]
{
	$ret = args->ret;
	$fd = @fds[tid];
	$errno = $ret > 0 ? 0 : - $ret;

	printf("%-6d %-16s %4d 0x%x %3d %s\n", pid, comm, $fd,
	    @cmd[tid], $errno, str(@fd2filename[$fd]));
	delete(@fds[tid]);
	delete(@cmd[tid]);
}

END
{
	clear(@filename);
	clear(@fd2filename);
	clear(@fds);
	clear(@cmd);
}