1 Demonstrations of mountsnoop. 2 3 mountsnoop traces the mount() and umount syscalls system-wide. For example, 4 running the following series of commands produces this output: 5 6 # mount --bind /mnt /mnt 7 # umount /mnt 8 # unshare -m 9 # mount --bind /mnt /mnt 10 # umount /mnt 11 12 # ./mountsnoop.py 13 COMM PID TID MNT_NS CALL 14 mount 710 710 4026531840 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0 15 umount 714 714 4026531840 umount("/mnt", 0x0) = 0 16 unshare 717 717 4026532160 mount("none", "/", "", MS_REC|MS_PRIVATE, "") = 0 17 mount 725 725 4026532160 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0 18 umount 728 728 4026532160 umount("/mnt", 0x0) = 0 19 20 The output shows the calling command, its process ID and thread ID, the mount 21 namespace the call was made in, and the call itself. 22 23 The mount namespace number is an inode number that uniquely identifies the 24 namespace in the running system. This can also be obtained from readlink 25 /proc/$PID/ns/mnt. 26 27 Note that because of restrictions in BPF, the string arguments to either 28 syscall may be truncated. 29
