[Bug] Support for Syscall Interception in Non-privileged Containers

[wangxi761]

First of all, thank you for developing this exciting project. I've been experimenting with bpftime for intercepting system calls, particularly in the context of non-privileged containers. However, I've encountered some issues and seem unable to successfully perform interceptions in this environment.

Here are the scrpit I've attempted:

~/.bpftime/bpftime load bpftrace -e 'kprobe:__x64_sys_execve {
    printf("execve called by PID %d (Command: %s)\n", pid, comm);
}'

[2024-01-17 15:48:35.710] [info] [syscall_context.hpp:84] manager constructed
[2024-01-17 15:48:35.713] [info] [syscall_server_utils.cpp:24] Initialize syscall server
[2024-01-17 15:48:35][info][5242] Global shm constructed. shm_open_type 0 for bpftime_maps_shm
[2024-01-17 15:48:35][info][5242] Enabling helper groups ffi, kernel, shm_map by default
[2024-01-17 15:48:35][info][5242] bpftime-syscall-server started
stdin:1:1-24: WARNING: __x64_sys_execve is not traceable (either non-existing, inlined, or marked as "notrace"); attaching to it will likely fail
kprobe:__x64_sys_execve {
~~~~~~~~~~~~~~~~~~~~~~~
Attaching 1 probe...
[2024-01-17 15:48:35][info][5242] Calling original perf event open
create_probe_event: open(/sys/kernel/tracing/kprobe_events): No such file or directory
ERROR: Error attaching probe: 'kprobe:__x64_sys_execve'
INFO [5242]: Global shm destructed

I'm not sure if it's an issue with my approach or if bpftime currently does not support this operation in non-privileged containers. Any guidance or information you could provide would be greatly appreciated.

[Officeyutong]

bpftime needs to access /sys/kernel/tracing/events/syscalls to get syscall tracepoint ids. This directory was not accessible by non-root users

[yunwei37]

I think maybe we can find a way to solve this? It seems not necessary for bpftime to access /sys/kernel/tracing/events/syscalls since it's not actually work in the kernel?