[root@jouet bpf]# perf trace -e openat cat /proc/cpuinfo  > /dev/null
     0.000 ( 0.009 ms): cat/31622 openat(dfd: CWD, filename: 0xb3f68563, flags: CLOEXEC                 ) = 3
     0.024 ( 0.005 ms): cat/31622 openat(dfd: CWD, filename: 0xb4170ce0, flags: CLOEXEC                 ) = 3
     0.265 (11.566 ms): cat/31622 openat(dfd: CWD, filename: 0x9eded3e5                                 ) = 3

[root@jouet bpf]# trace -e openat,o_direct.c cat /proc/cpuinfo  > /dev/null
     0.000 (         ): __bpf_stdout__:/etc/ld.so.cache....)
     0.013 (         ): syscalls:sys_enter_openat:dfd: 0xffffffffffffff9c, filename: 0x7f60dd6d3563, flags: 0x00080000, mode: 0x00000000)
     0.015 ( 0.011 ms): cat/32085 openat(dfd: CWD, filename: 0xdd6d3563, flags: CLOEXEC                 ) = 3
     0.072 (         ): __bpf_stdout__:/lib64/libc.so.6....)
     0.074 (         ): syscalls:sys_enter_openat:dfd: 0xffffffffffffff9c, filename: 0x7f60dd8dbce0, flags: 0x00080000, mode: 0x00000000)
     0.076 ( 0.013 ms): cat/32085 openat(dfd: CWD, filename: 0xdd8dbce0, flags: CLOEXEC                 ) = 3
     0.775 (11.544 ms): cat/32085 openat(dfd: CWD, filename: 0x3990319a                                 ) = 3
[root@jouet bpf]# cat o_direct.c 
#include "bpf.h"

#define O_CLOEXEC       02000000

int syscall_enter(openat)
{
	char filename[256];
	int flags;
	int len = syscall_field_str(filename, 24);

	syscall_field_int(flags, 32);

	if (!(flags & O_CLOEXEC))
		return 0;

	perf_stdout(filename, len);
	return 1;
}
[root@jouet bpf]#

Catch bpf.h at http://vger.kernel.org/~acme/perf/bpf.h