From b3108cabb7ff97f8bb8b8398842cb2e8c623664c Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Wed, 6 Dec 2023 16:13:13 +0800
Subject: creatfile check op intent value

---
 observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
index 7afb7e2..f4e7e44 100644
--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
@@ -12,6 +12,7 @@
 #define S_ISREG(m) (((m) & S_IFMT) == S_IFREG)
 
 #define O_CREAT 100
+#define LOOKUP_CREATE 0x0200
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 
@@ -107,7 +108,7 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
 	struct ebpf_event *e = NULL;
 	RETURN_ZERO_IF_OURSELF();
 
-	if (op && !(op->open_flag & O_CREAT))
+	if (op && (!(op->open_flag & O_CREAT) || !(op->intent & LOOKUP_CREATE)))
 		return 0;
 	if (!S_ISREG(ret_file->f_inode->i_mode))
 		return 0;
-- 
2.33.0