libbpf-tools: introduce path helpers and filelife support full-path #5340

Rtoax · 2025-06-22T09:31:36Z

1st patch: libbpf-tools: Introduce path helpers

There will be many programs that need to get the current working directory
or full-path of file, such as opensnoop, which is already supported.
and other tools like filelife/filetop need it too.

Therefore, it will be helpful to separate the bpf_getcwd function from
opensnoop.bpf.c as a public helper function.

Add functions:

bpf_dentry_full_path(): Get the full-path based on the dentry and
vfsmount.
bpf_getcwd(): Get the full-path of the current working directory.
print_full_path(): Assembling full-path in user space.

Add structures:

struct full_path {}: Record the absolute path.

2nd patch: libbpf-tools/filelife: support full-path

To support full-path, the following operations are performed:

First, to support the transmission of larger data, perf-buffer is
replaced with ring-buff.
Then, before this patch, events are constructed in kprobe/unlink,
and events of successful unlink are submitted in kretprobe/unlink.
However, the reservation and submission of ring-buff cannot be
separated, so the struct unlink_event small structure is introduced
for transfer, and the reservation and submission of events are in
kretprobe/unlink.
In order to record the dentry and vfsmount structures of cwd when the
file is created, the structure struct create_arg{} is introduced.
Note: cannot obtain the dentry and vfsmount structures of cwd in
kretprobe/unlink.

Example:

# Test commands
$ cd /home/sda/git-repos/
$ touch a.out && sleep 0.2 && rm a.out

# before
$ sudo ./filelife
Tracing the lifespan of short-lived files ... Hit Ctrl-C to end.
TIME     PID    COMM             AGE(s)  FILE
17:27:05 458702 rm               0.21    a.out

# after
$ sudo ./filelife -F
Tracing the lifespan of short-lived files ... Hit Ctrl-C to end.
TIME     PID    COMM             AGE(s)  FILE
17:26:58 458692 rm               0.21    /home/sda/git-repos/a.out
                                         ^^^^^^^^^^^^^^^^^^^^ full-path

There will be many programs that need to get the current working directory or full-path of file, such as opensnoop, which is already supported. and other tools like filelife/filetop need it too. Therefore, it will be helpful to separate the bpf_getcwd function from opensnoop.bpf.c as a public helper function. Add functions: 1. bpf_dentry_full_path(): Get the full-path based on the dentry and vfsmount. 2. bpf_getcwd(): Get the full-path of the current working directory. 3. print_full_path(): Assembling full-path in user space. Add structures: 1. struct full_path {}: Record the absolute path. Signed-off-by: Rong Tao <[email protected]>

To support full-path, the following operations are performed: 1. First, to support the transmission of larger data, perf-buffer is replaced with ring-buff. 2. Then, before this patch, events are constructed in kprobe/unlink, and events of successful unlink are submitted in kretprobe/unlink. However, the reservation and submission of ring-buff cannot be separated, so the struct unlink_event small structure is introduced for transfer, and the reservation and submission of events are in kretprobe/unlink. 3. In order to record the dentry and vfsmount structures of cwd when the file is created, the structure struct create_arg{} is introduced. Note: cannot obtain the dentry and vfsmount structures of cwd in kretprobe/unlink. Example: # Test commands $ cd /home/sda/git-repos/ $ touch a.out && sleep 0.2 && rm a.out # before $ sudo ./filelife Tracing the lifespan of short-lived files ... Hit Ctrl-C to end. TIME PID COMM AGE(s) FILE 17:27:05 458702 rm 0.21 a.out # after $ sudo ./filelife -F Tracing the lifespan of short-lived files ... Hit Ctrl-C to end. TIME PID COMM AGE(s) FILE 17:26:58 458692 rm 0.21 /home/sda/git-repos/a.out ^^^^^^^^^^^^^^^^^^^^ full-path Signed-off-by: Rong Tao <[email protected]>

In bcc PR [1], add common path helpers for serial of tools, this patch do the same thing. After analysis and experiments, libbpf-tools/c and tools/py codes about path-helpers cannot be reused. Thus, this patch add: 1. full_path.h: defined FULL_PATH_FIELD(name); 2. path_helpers.bpf.c: add bpf_dentry_full_path() and bpf_getcwd() helpers same as commit [1]; 3. path_helpers.py: add get_full_path() to parse full-path in full_path.h; [1] iovisor#5340 Signed-off-by: Rong Tao <[email protected]>

Same as libbpf-tools/filelife changes [1], introduce -F argument to support full-path. [1] iovisor#5340 iovisor@74bddcbe646e Signed-off-by: Rong Tao <[email protected]>

Same as libbpf-tools/filelife changes [1], introduce -F argument to support full-path. Example: $ touch a.out && sleep 0.2 && rm a.out # Before $ sudo ./filelife.py TIME PID COMM AGE(s) FILE 18:57:25 343907 rm 0.21 a.out # After $ sudo ./filelife.py -F TIME PID COMM AGE(s) FILE 18:57:35 343917 rm 0.21 /home/sda/git-repos/iovisor/bcc/libbpf-tools/a.out ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [1] iovisor#5340 iovisor@74bddcbe646e Signed-off-by: Rong Tao <[email protected]>