You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29 lines
1.1 KiB
29 lines
1.1 KiB
4 months ago
|
Demonstrations of mountsnoop.
|
||
|
|
|
||
|
|
mountsnoop traces the mount() and umount syscalls system-wide. For example,
|
||
|
|
running the following series of commands produces this output:
|
||
|
|
|
||
|
|
# mount --bind /mnt /mnt
|
||
|
|
# umount /mnt
|
||
|
|
# unshare -m
|
||
|
|
# mount --bind /mnt /mnt
|
||
|
|
# umount /mnt
|
||
|
|
|
||
|
|
# ./mountsnoop.py
|
||
|
|
COMM PID TID MNT_NS CALL
|
||
|
|
mount 710 710 4026531840 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0
|
||
|
|
umount 714 714 4026531840 umount("/mnt", 0x0) = 0
|
||
|
|
unshare 717 717 4026532160 mount("none", "/", "", MS_REC|MS_PRIVATE, "") = 0
|
||
|
|
mount 725 725 4026532160 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0
|
||
|
|
umount 728 728 4026532160 umount("/mnt", 0x0) = 0
|
||
|
|
|
||
|
|
The output shows the calling command, its process ID and thread ID, the mount
|
||
|
|
namespace the call was made in, and the call itself.
|
||
|
|
|
||
|
|
The mount namespace number is an inode number that uniquely identifies the
|
||
|
|
namespace in the running system. This can also be obtained from readlink
|
||
|
|
/proc/$PID/ns/mnt.
|
||
|
|
|
||
|
|
Note that because of restrictions in BPF, the string arguments to either
|
||
|
|
syscall may be truncated.
|