tools/filelife: support full-path

Same as libbpf-tools/filelife changes [1], introduce -F argument to
support full-path.

Example:
    $ touch a.out && sleep 0.2 && rm a.out

    # Before

    $ sudo ./filelife.py
    TIME     PID     COMM             AGE(s)  FILE
    18:57:25 343907  rm               0.21    a.out

    # After

    $ sudo ./filelife.py -F
    TIME     PID     COMM             AGE(s)  FILE
    18:57:35 343917  rm               0.21    /home/sda/git-repos/iovisor/bcc/libbpf-tools/a.out
                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[1] #5340
    74bddcbe646e

Signed-off-by: Rong Tao <[email protected]>

Author: Rtoax

tools/filelife.py

@@ -18,15 +18,18 @@
 # 17-Feb-2016   Allan McAleavy updated for BPF_PERF_OUTPUT
 # 13-Nov-2022   Rong Tao        Check btf struct field for CO-RE and add vfs_open()
 # 05-Nov-2023   Rong Tao        Support unlink failed
+# 01-Jul-2025   Rong Tao        Support full-path
 
 from __future__ import print_function
 from bcc import BPF
+from bcc.utils import printb
 import argparse
 from time import strftime
 
 # arguments
 examples = """examples:
     ./filelife           # trace lifecycle of file(create->remove)
+    ./filelife -F        # show full path of file
     ./filelife -p 181    # only trace PID 181
 """
 parser = argparse.ArgumentParser(
@@ -35,6 +38,8 @@
     epilog=examples)
 parser.add_argument("-p", "--pid",
     help="trace this PID only")
+parser.add_argument("-F", "--full-path", action="store_true",
+    help="show full path")
 parser.add_argument("--ebpf", action="store_true",
     help=argparse.SUPPRESS)
 args = parser.parse_args()
@@ -45,27 +50,56 @@
 #include <uapi/linux/ptrace.h>
 #include <linux/fs.h>
 #include <linux/sched.h>
+#include <linux/fs_struct.h>
+#ifdef FULLPATH
+INCLUDE_FULL_PATH_H
+INCLUDE_PATH_HELPERS_BPF_H
+#endif
 
 struct data_t {
     u32 pid;
     u64 delta;
     char comm[TASK_COMM_LEN];
+    u32 path_depth;
+#ifdef FULLPATH
+    FULL_PATH_FIELD(fname);
+#else
     char fname[DNAME_INLINE_LEN];
-    /* private */
-    void *dentry;
+#endif
 };
 
-BPF_HASH(birth, struct dentry *);
-BPF_HASH(unlink_data, u32, struct data_t);
-BPF_PERF_OUTPUT(events);
+struct create_arg {
+    u64 ts;
+    struct vfsmount *cwd_vfsmnt;
+};
+
+struct unlink_event {
+    u32 tid;
+    u64 delta;
+    struct dentry *dentry;
+    struct vfsmount *cwd_vfsmnt;
+};
+
+BPF_HASH(birth, struct dentry *, struct create_arg);
+BPF_HASH(unlink_data, u32, struct unlink_event);
+BPF_RINGBUF_OUTPUT(events, 64);
 
 static int probe_dentry(struct pt_regs *ctx, struct dentry *dentry)
 {
+    struct task_struct *task;
+    struct fs_struct *fs;
+    struct create_arg arg = {};
     u32 pid = bpf_get_current_pid_tgid() >> 32;
     FILTER
 
     u64 ts = bpf_ktime_get_ns();
-    birth.update(&dentry, &ts);
+    task = (struct task_struct *)bpf_get_current_task_btf();
+
+    arg.ts = ts;
+    bpf_probe_read_kernel(&fs, sizeof(fs), &task->fs);
+    bpf_probe_read_kernel(&arg.cwd_vfsmnt, sizeof(arg.cwd_vfsmnt), &fs->pwd.mnt);
+
+    birth.update(&dentry, &arg);
 
     return 0;
 }
@@ -98,46 +132,41 @@
 // trace file deletion and output details
 TRACE_UNLINK_FUNC
 {
-    struct data_t data = {};
+    struct create_arg *arg;
+    struct unlink_event event = {};
     u64 pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = pid_tgid >> 32;
     u32 tid = (u32)pid_tgid;
 
     FILTER
 
-    u64 *tsp, delta;
-    tsp = birth.lookup(&dentry);
-    if (tsp == 0) {
+    u64 delta;
+    arg = birth.lookup(&dentry);
+    if (arg == 0) {
         return 0;   // missed create
     }
 
-    delta = (bpf_ktime_get_ns() - *tsp) / 1000000;
-
-    struct qstr d_name = dentry->d_name;
-    if (d_name.len == 0)
-        return 0;
-
-    if (bpf_get_current_comm(&data.comm, sizeof(data.comm)) == 0) {
-        data.pid = pid;
-        data.delta = delta;
-        bpf_probe_read_kernel(&data.fname, sizeof(data.fname), d_name.name);
-    }
+    delta = (bpf_ktime_get_ns() - arg->ts) / 1000000;
 
     /* record dentry, only delete from birth if unlink successful */
-    data.dentry = dentry;
+    event.delta = delta;
+    event.tid = tid;
+    event.dentry = dentry;
+    event.cwd_vfsmnt = arg->cwd_vfsmnt;
 
-    unlink_data.update(&tid, &data);
+    unlink_data.update(&tid, &event);
     return 0;
 }
 
 int trace_unlink_ret(struct pt_regs *ctx)
 {
     int ret = PT_REGS_RC(ctx);
+    struct unlink_event *unlink_event;
     struct data_t *data;
     u32 tid = (u32)bpf_get_current_pid_tgid();
 
-    data = unlink_data.lookup(&tid);
-    if (!data)
+    unlink_event = unlink_data.lookup(&tid);
+    if (!unlink_event)
         return 0;
 
     /* delete it any way */
@@ -147,8 +176,30 @@
     if (ret)
         return 0;
 
-    birth.delete((struct dentry **)&data->dentry);
-    events.perf_submit(ctx, data, sizeof(*data));
+    data = events.ringbuf_reserve(sizeof(struct data_t));
+    if (!data)
+        return 0;
+
+    data->pid = unlink_event->tid;
+    data->delta = unlink_event->delta;
+    bpf_get_current_comm(&data->comm, sizeof(data->comm));
+
+    data->path_depth = 0;
+
+#ifdef FULLPATH
+    if (data->fname[0] != '/') {
+        bpf_dentry_full_path(data->fname, NAME_MAX, MAX_ENTRIES,
+                             unlink_event->dentry, unlink_event->cwd_vfsmnt,
+                             &data->path_depth);
+    }
+#else
+    struct qstr d_name = unlink_event->dentry->d_name;
+    bpf_probe_read_kernel_str(&data->fname, sizeof(data->fname), d_name.name);
+#endif
+
+    birth.delete((struct dentry **)&unlink_event->dentry);
+
+    events.ringbuf_submit(data, sizeof(*data));
 
     return 0;
 }
@@ -183,10 +234,17 @@
         'if (pid != %s) { return 0; }' % args.pid)
 else:
     bpf_text = bpf_text.replace('FILTER', '')
-if debug or args.ebpf:
-    print(bpf_text)
-    if args.ebpf:
-        exit()
+
+if args.full_path:
+    bpf_text = "#define FULLPATH\n" + bpf_text
+
+    with open(BPF._find_file("full_path.h".encode("utf-8"))) as fileobj:
+        progtxt = fileobj.read()
+    bpf_text = bpf_text.replace('INCLUDE_FULL_PATH_H', progtxt)
+
+    with open(BPF._find_file("path_helpers.bpf.c".encode("utf-8"))) as fileobj:
+        progtxt = fileobj.read()
+    bpf_text = bpf_text.replace('INCLUDE_PATH_HELPERS_BPF_H', progtxt)
 
 if BPF.kernel_struct_has_field(b'renamedata', b'new_mnt_idmap') == 1:
     bpf_text = bpf_text.replace('TRACE_CREATE_FUNC', trace_create_text_3)
@@ -198,6 +256,11 @@
     bpf_text = bpf_text.replace('TRACE_CREATE_FUNC', trace_create_text_1)
     bpf_text = bpf_text.replace('TRACE_UNLINK_FUNC', trace_unlink_text_1)
 
+if debug or args.ebpf:
+    print(bpf_text)
+    if args.ebpf:
+        exit()
+
 # initialize BPF
 b = BPF(text=bpf_text)
 b.attach_kprobe(event="vfs_create", fn_name="trace_create")
@@ -216,13 +279,21 @@
 # process event
 def print_event(cpu, data, size):
     event = b["events"].event(data)
-    print("%-8s %-7d %-16s %-7.2f %s" % (strftime("%H:%M:%S"), event.pid,
-        event.comm.decode('utf-8', 'replace'), float(event.delta) / 1000,
-        event.fname.decode('utf-8', 'replace')))
-
-b["events"].open_perf_buffer(print_event)
+    printb(b"%-8s %-7d %-16s %-7.2f " % (strftime("%H:%M:%S").encode('utf-8', 'replace'),
+           event.pid, event.comm, float(event.delta) / 1000), nl="")
+    if args.full_path:
+        import os
+        import sys
+        sys.path.append(os.path.dirname(sys.argv[0]))
+        from path_helpers import get_full_path
+        result = get_full_path(event.fname, event.path_depth)
+        printb(b"%s" % result.encode("utf-8"))
+    else:
+        printb(b"%s" % event.fname)
+
+b["events"].open_ring_buffer(print_event)
 while 1:
     try:
-        b.perf_buffer_poll()
+        b.ring_buffer_poll()
     except KeyboardInterrupt:
         exit()

tools/filelife_example.txt

@@ -39,14 +39,16 @@ optimizations.
 USAGE message:
 
 # ./filelife -h
-usage: filelife [-h] [-p PID]
+usage: filelife.py [-h] [-p PID] [-F]
 
-Trace stat() syscalls
+Trace lifecycle of file
 
-optional arguments:
-  -h, --help         show this help message and exit
-  -p PID, --pid PID  trace this PID only
+options:
+  -h, --help       show this help message and exit
+  -p, --pid PID    trace this PID only
+  -F, --full-path  show full path
 
 examples:
-    ./filelife           # trace all stat() syscalls
+    ./filelife           # trace lifecycle of file(create->remove)
+    ./filelife -F        # show full path of file
     ./filelife -p 181    # only trace PID 181