search

lizrice / learning-ebpf

Learning eBPF, published by O'Reilly - out now! Here's where you'll find a VM config for the examples, and more
https://www.amazon.com/Learning-eBPF-Programming-Observability-Networking/dp/1098135121
Apache License 2.0
1.19k stars 255 forks source link

Issues When Using fexit/fentry #16

Closed laikas123 closed 1 year ago

laikas123 commented 1 year ago

Hello

I have been trying to use the example from chapter 7.

Running make works fine, but then "sudo ./hello" produces the following error:

root@c2eac50ed0ef:/learning-ebpf/chapter7# ./hello libbpf: prog 'fentry_execve': failed to find kernel BTF type ID of 'do_execve': -3 libbpf: prog 'fentry_execve': failed to prepare load attributes: -3 libbpf: prog 'fentry_execve': failed to load: -3 libbpf: failed to load object 'hello_bpf' libbpf: failed to load BPF skeleton 'hello_bpf': -3 ....

The line that interests me the most is:

failed to find kernel BTF type ID of 'do_execve': -3

When I run the other suggested fentry example from libbpff bootstrap e.g. this example:

https://github.com/libbpf/libbpf-bootstrap/blob/master/examples/c/kprobe.bpf.c

Running the example works great without any changes made.

However if I change the lines:

SEC("kprobe/do_unlinkat") int BPF_KPROBE(do_unlinkat, int dfd, struct filename *name)

to

SEC("kprobe/do_execve") int BPFKPROBE(doexecve, int dfd, struct filename *name)

Then it breaks, and gives:

root@c2eac50ed0ef:/libbpf-bootstrap/examples/c# ./fentry libbpf: loading object 'fentry_bpf' from buffer ... ... libbpf: prog 'do_execve': failed to find kernel BTF type ID of 'do_execve': -3 libbpf: prog 'do_execve': failed to prepare load attributes: -3 libbpf: prog 'do_execve': failed to load: -3 libbpf: failed to load object 'fentry_bpf' libbpf: failed to load BPF skeleton 'fentry_bpf': -3 Failed to open BPF skeleton

I know this issue isn't specific to execve, and I know that it's the "SEC" line being changed that is causing issues.

But I don't know how to interpret this error:

"failed to find kernel BTF type ID"

And why does it work for unlinkat, but not execve?

I know this is just my lack of understanding, but I am really lost and any pointers in the right direction would be awesome.

uname -a output:

Linux c2eac50ed0ef 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Thank you

laikas123 commented 1 year ago

Solved, use do_execveat_common instead